CVE-2025-59827
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flagforge | flagforge | 2.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Flag Forge version 2.1.0 where the /api/admin/assign-badge endpoint does not have proper access control. As a result, any authenticated user can assign themselves high-privilege badges such as 'Staff', leading to unauthorized privilege escalation and the ability to impersonate administrative roles.
How can this vulnerability impact me? :
The vulnerability can allow an attacker who is an authenticated user to escalate their privileges by assigning themselves high-level badges. This can lead to unauthorized access to administrative functions, potential manipulation of the platform, and impersonation of administrative users, which can compromise the security and integrity of the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Flag Forge to version 2.2.0 or later, as this version includes a patch that properly restricts access to the /api/admin/assign-badge endpoint and prevents unauthorized privilege escalation.