Authentication Bypass in Flag Forge CTF Platform
CVE-2025-61777

9.4CRITICAL

Key Information:

Vendor: Flagforgectf
Status: Flagforge
Vendor: CVE Published:; 6 October 2025

🔔 Create Flagforgectf Vulnerability Alert

What is CVE-2025-61777?

Flag Forge, a popular Capture The Flag (CTF) platform, had a significant vulnerability that existed from version 2.0.0 up to 2.3.2. Specific API endpoints, namely /api/admin/badge-templates (GET) and /api/admin/badge-templates/create (POST), were accessible without proper authentication or authorization. This flaw permitted unauthorized users to access sensitive badge templates and critical metadata such as creation and modification details, or even to create arbitrary badge templates in the database. The potential consequences of this vulnerability included data exposure, unauthorized modification, and database integrity issues. Thankfully, the issue has been addressed in version 2.3.2, which enforces authentication and introduces strict authorization checks, making sure that only administrators can access and manage badge templates.

Affected Version(s)

flagForge >= 2.0.0, < 2.3.2

References

https://github.com/FlagForgeCTF/flagForge/security/adviso...

x_refsource_CONFIRM

https://github.com/FlagForgeCTF/flagForge/commit/e2121c5f...

x_refsource_MISC

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 6, 2025
Vulnerability Reserved
Sep 30, 2025

JSON