CVE-2025-59841

Critical CVSS: 9.8

Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1.

Vendor

Flagforge

Product

Flagforge

CWE

CWE-384

Yayın Tarihi

2025-09-25 16:15:35

Güncelleme

2025-10-08 16:31:08

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-384 Flagforge CRITICAL Flagforge 2025

Referanslar

https://github.com/FlagForgeCTF/flagForge/commit/304b6c82a4f76871b336404b91e5cdd8a7d7d5bd https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-h6pr-4cwv-6cjg

Benzer Kayıtlar

High

CVE-2026-21868

Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (R…

Critical

CVE-2025-61777

Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/b…

High

CVE-2025-59932

Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previo…

Medium

CVE-2025-59843

Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[use…

Critical

CVE-2025-59827

Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper acc…

High

CVE-2025-59833

Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/probl…