Authentication Bypass in Flag Forge CTF Platform
CVE-2025-61777
Key Information:
- Vendor
Flagforgectf
- Status
- Vendor
- CVE Published:
- 6 October 2025
Badges
What is CVE-2025-61777?
Flag Forge, a popular Capture The Flag (CTF) platform, had a significant vulnerability that existed from version 2.0.0 up to 2.3.2. Specific API endpoints, namely /api/admin/badge-templates (GET) and /api/admin/badge-templates/create (POST), were accessible without proper authentication or authorization. This flaw permitted unauthorized users to access sensitive badge templates and critical metadata such as creation and modification details, or even to create arbitrary badge templates in the database. The potential consequences of this vulnerability included data exposure, unauthorized modification, and database integrity issues. Thankfully, the issue has been addressed in version 2.3.2, which enforces authentication and introduces strict authorization checks, making sure that only administrators can access and manage badge templates.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
flagForge >= 2.0.0, < 2.3.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved