Description

Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available.

INFO

Published Date :

2025-10-06T16:44:27.713Z

Last Modified :

2026-01-28T23:09:53.135Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61777 vulnerability.

Vendors Products
Flagforge
  • Flagforge
Flagforgectf
  • Flagforge
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61777.

URL Resource
https://github.com/FlagForgeCTF/flagForge/commit/e2121c5fb7a512a49dcd875812c944265fb1a846 cve-icon cve-icon
https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-26rx-c53q-rjf9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact