CVE-2025-59833
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-09-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59833
EUVD
EUVD-2025-31050
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flagforge flagforge From 2.1.0 (inc) to 2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Flag Forge versions 2.1.0 to before 2.3.0 is that the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object regardless of whether the user has unlocked them. This means users can view all hints for free without paying points, which breaks the intended business logic and reduces the integrity of the challenge system.

Impact Analysis

This vulnerability allows users to access all challenge hints without restriction or payment, undermining the platform's business model and the fairness of the challenges. It can lead to loss of revenue and damage to the platform's reputation as a fair and secure CTF environment.

Mitigation Strategies

Upgrade Flag Forge to version 2.3.0 or later, where the issue has been patched. Until then, restrict access to the API endpoint GET /api/problems/:id to trusted users only to prevent unauthorized viewing of challenge hints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart