Vulnerability Description
Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flagforge | Flagforge | >= 2.0, < 2.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/FlagForgeCTF/flagForge/commit/1b033f1b6e20fbf6df422d5d1afc9b2
- https://github.com/FlagForgeCTF/flagForge/compare/v2.3.1...v2.3.2
- https://github.com/FlagForgeCTF/flagForge/releases/tag/v2.3.1
- https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpVendor Advisory
FAQ
What is CVE-2025-59843?
CVE-2025-59843 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for ...
How severe is CVE-2025-59843?
CVE-2025-59843 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-59843?
Check the references section above for vendor advisories and patch information. Affected products include: Flagforge Flagforge.