Cross-Site Request Forgery Vulnerability in Vulnerability-Lookup by Vendor
CVE-2025-42616

7HIGH

Key Information:

Vendor: Circl
Status: Vulnerability-lookup
Vendor: CVE Published:; 8 December 2025

What is CVE-2025-42616?

The Vulnerability-Lookup application contains a significant flaw that allows state-modifying operations through HTTP GET requests without CSRF token validation. This vulnerability permits an attacker to exploit the application's design by tricking a logged-in user into visiting a malicious site, potentially executing unintended state-altering actions as though they were the authenticated user. The exploitation can lead to privilege escalation and unauthorized alterations of settings and configurations. The resolution requires all state-changing requests to utilize HTTP POST methods along with valid CSRF tokens, effectively mitigating the risk of arbitrary GET requests triggering state changes.

Affected Version(s)

Vulnerability-Lookup 0 < 2.18.0

References

https://vulnerability.circl.lu/vuln/gcve-1-2025-0034

vendor-advisory

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 8, 2025
Vulnerability Reserved
Apr 16, 2025

JSON

Circl

What is CVE-2025-42616?

Affected Version(s)

References

CVSS V4

Timeline