Skip to main content

CVE-2025-54118: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in NamelessMC Nameless

Medium
VulnerabilityCVE-2025-54118cvecve-2025-54118cwe-200
Published: Mon Aug 18 2025 (08/18/2025, 15:59:15 UTC)
Source: CVE Database V5
Vendor/Project: NamelessMC
Product: Nameless

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Sensitive information disclosure in NamelessMC before 2.2.4 allows unauthenticated remote attacker to gain sensitive information such as absolute path of the source code via list parameter. This vulnerability is fixed in 2.2.4.

AI-Powered Analysis

AILast updated: 08/18/2025, 16:33:18 UTC

Technical Analysis

CVE-2025-54118 is a medium severity vulnerability affecting NamelessMC, a popular free and open-source website software designed primarily for Minecraft server communities. The vulnerability exists in versions prior to 2.2.4 and involves the exposure of sensitive information to unauthenticated remote attackers. Specifically, an attacker can exploit the 'list' parameter to retrieve sensitive data such as the absolute file system path of the source code. This type of information disclosure is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the limited impact on confidentiality (only path disclosure, no direct data leakage or code execution), no impact on integrity or availability, and the ease of exploitation. While the vulnerability does not allow direct access to user data or system control, knowledge of absolute paths can aid attackers in crafting further attacks such as local file inclusion or directory traversal exploits. The issue was addressed and fixed in NamelessMC version 2.2.4, and users are advised to upgrade to this or later versions to mitigate the risk. No known exploits are currently reported in the wild, but the vulnerability’s presence in a widely used community platform makes it a potential target for reconnaissance by attackers.

Potential Impact

For European organizations running Minecraft server communities or gaming-related websites using NamelessMC versions prior to 2.2.4, this vulnerability poses a moderate risk. Disclosure of absolute file paths can facilitate further targeted attacks by revealing the underlying directory structure, potentially enabling attackers to identify configuration files or other sensitive resources. While this vulnerability alone does not compromise user data or system integrity, it lowers the barrier for more sophisticated attacks such as remote code execution or privilege escalation if combined with other vulnerabilities. European organizations that rely on NamelessMC for community engagement, especially those with large user bases or sensitive user information, could face reputational damage and increased risk of follow-on attacks. The vulnerability’s remote and unauthenticated nature increases its attractiveness to opportunistic attackers scanning for vulnerable servers. However, the absence of known exploits in the wild and the medium severity rating suggest that immediate critical impact is limited but should not be ignored.

Mitigation Recommendations

1. Immediate upgrade to NamelessMC version 2.2.4 or later is the primary and most effective mitigation step to eliminate this vulnerability. 2. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests containing the 'list' parameter or anomalous query strings targeting information disclosure. 3. Restrict public access to administrative or sensitive endpoints where possible, using IP whitelisting or authentication mechanisms to reduce exposure. 4. Conduct regular security audits and vulnerability scans on web applications to detect outdated software versions and known vulnerabilities. 5. Monitor web server logs for unusual access patterns or repeated attempts to exploit the 'list' parameter to enable early detection of exploitation attempts. 6. Educate administrators and developers on secure coding practices and the importance of timely patching to prevent similar issues.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-16T23:53:40.508Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68a35225ad5a09ad00b084b5

Added to database: 8/18/2025, 4:17:41 PM

Last enriched: 8/18/2025, 4:33:18 PM

Last updated: 8/19/2025, 12:34:27 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats