CVE-2025-8797
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. This issue affects some unknown processing of the component LocalStorage Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-10
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-08-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8797
EUVD
EUVD-2025-24079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
litmuschaos litmus to 3.19.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-275 Permission Issues
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in LitmusChaos Litmus up to version 3.19.0 allows a user with low-level permissions (Viewer) to manipulate a client-side localStorage key named "projectRole" in their browser. By changing this key from "Viewer" to "Owner", the frontend incorrectly grants them Owner-level privileges without any backend verification. This enables unauthorized access to Owner-only functions such as creating, modifying, or deleting experiments and project configurations, effectively escalating their permissions. [1, 2]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized privilege escalation, allowing attackers to gain Owner-level access remotely. This can result in unauthorized creation, modification, or deletion of experiments and project configurations, impacting the confidentiality, integrity, and availability of the system. Since the backend does not verify user roles, attackers can misuse or alter critical project data, potentially disrupting operations or causing data loss. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the LitmusChaos Litmus version in use is 3.19.0 or earlier, as these versions are affected. Additionally, detection involves inspecting the localStorage key named "projectRole" in the browser's developer tools to see if it can be manipulated from "Viewer" to "Owner". There are no specific network commands provided to detect exploitation, but monitoring for unauthorized changes in user roles or unexpected Owner-level actions in the frontend may help identify exploitation attempts. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include replacing or upgrading the affected LitmusChaos Litmus component to a version that is not vulnerable, if available. Since no known countermeasures or vendor patches exist, avoiding use of vulnerable versions (up to 3.19.0) is recommended. Monitoring for suspicious privilege escalations and restricting access to the frontend where localStorage manipulation can occur may also help reduce risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart