CVE-2025-51867 is an Insecure Direct Object Reference (IDOR) vulnerability identified in Deepfiction AI, a platform accessible via deepfiction.ai. This vulnerability exists through June 3, 2025, and allows attackers to exploit the /browse/stories endpoint to gain access to sensitive information that enables them to use other users' credits to interact with the platform's large language model (LLM). IDOR vulnerabilities occur when an application exposes direct references to internal objects (such as database records or files) without proper authorization checks, allowing attackers to manipulate these references to access unauthorized data or functionality. In this case, the attacker can leverage the flaw to impersonate other users in terms of credit usage, effectively hijacking their allocated resources on the platform. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates the attack can be performed remotely over the network with low attack complexity, requires privileges (likely a valid user account), no user interaction, unchanged scope, high confidentiality impact, but no impact on integrity or availability. No patches or known exploits in the wild have been reported yet. The vulnerability is categorized under CWE-639, which corresponds to Authorization Bypass Through User-Controlled Key. This suggests that the application fails to properly verify whether the user is authorized to access the referenced objects, leading to unauthorized credit usage. The lack of affected version details implies the vulnerability might affect all current versions up to the fixed date or that versioning information is not publicly disclosed. Overall, this vulnerability allows attackers with some level of authenticated access to abuse other users' credits, potentially leading to unauthorized consumption of paid or limited resources on the Deepfiction AI platform.

For European organizations, the primary impact of this vulnerability lies in the unauthorized use of resources and potential financial loss if credits correspond to paid services. Organizations relying on Deepfiction AI for content generation or other AI-driven tasks may face unexpected costs or depletion of allocated credits. Additionally, if the platform is used in regulated industries or for sensitive content generation, unauthorized access to user credits could lead to privacy concerns or misuse of AI-generated outputs. While the vulnerability does not directly impact data integrity or availability, the confidentiality breach of user credit information could undermine trust in the service. Furthermore, if attackers leverage this flaw at scale, it could disrupt normal business operations by exhausting resources, leading to service degradation or denial of service for legitimate users. The medium severity rating reflects that while the impact is significant in terms of confidentiality and resource misuse, it does not directly compromise system integrity or availability. European organizations should be aware of potential indirect impacts such as reputational damage and compliance risks, especially under GDPR if personal data is indirectly exposed or misused through this vulnerability.

To mitigate this vulnerability, Deepfiction AI should implement strict authorization checks on the /browse/stories endpoint to ensure that users can only access their own credit information and related resources. This includes validating user identity against the requested resource and enforcing access control policies server-side. Employing token-based or session-based authentication mechanisms with proper scope restrictions can help prevent unauthorized access. Additionally, implementing rate limiting and anomaly detection can reduce the risk of abuse by detecting unusual credit usage patterns. European organizations using the platform should monitor their credit usage closely and report any suspicious activity to the service provider. Until a patch or fix is available, organizations might consider limiting user privileges or restricting access to the platform to trusted personnel only. Regular security assessments and penetration testing focusing on authorization controls can help identify similar issues proactively. Finally, Deepfiction AI should provide clear communication and timely patches to users once the vulnerability is addressed.