CVE-2025-62614
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| booklore | booklore | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in BookLore versions 1.8.1 and earlier. It allows any unauthenticated user to access and download book covers, thumbnails, and full PDF/CBX page content without proper authorization. The issue arises because multiple media endpoints lack proper access control, and the CoverJwtFilter does not stop requests without an authentication token, enabling attackers to enumerate and exfiltrate all book content, bypassing intended download permissions.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and exfiltration of all book content stored in the BookLore system. Attackers can download sensitive or private book media files without any authentication, potentially leading to data leakage, loss of intellectual property, and privacy violations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update BookLore to a version later than 1.8.1 where the issue has been patched (commit b226c43). Until then, restrict access to the media endpoints to authenticated users only and monitor for unauthorized access attempts to book media content.