Sensitive Information Exposure in reNgine Automated Reconnaissance Framework
CVE-2025-24899

7.1HIGH

Key Information:

Vendor: Yogeshojha
Status: Rengine
Vendor: CVE Published:; 3 February 2025

Summary

A significant vulnerability exists in the reNgine automated reconnaissance framework, allowing an insider attacker to exploit the system and extract sensitive user information from other users. Roles such as Auditor, Penetration Tester, or Systems Administrator can be exploited to issue a GET request to retrieve critical details, including usernames, passwords, emails, roles, and personal activity logs. This vulnerability emphasizes the importance of restricting access based on user roles and necessitates an immediate upgrade to version 2.2.0 to mitigate risks effectively. There are currently no workarounds available.

Affected Version(s)

rengine < 2.2.0

References

https://github.com/yogeshojha/rengine/security/advisories...

x_refsource_CONFIRM

https://github.com/yogeshojha/rengine/commit/a658b8519f1a...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 3, 2025
Vulnerability Reserved
Jan 27, 2025