CVE-2025-55165 is a high-severity vulnerability affecting versions of the gelbphoenix autocaliweb web application prior to 0.8.3. Autocaliweb is designed to provide a web interface for browsing, reading, and downloading eBooks from a valid Calibre database. The vulnerability arises from the way the application generates debug packs, which are intended to assist in troubleshooting by serializing configuration data using the to_dict() method. However, this serialization process does not properly filter out sensitive information such as API keys and tokens. As a result, when users generate and share these debug packs—often without full awareness of their contents—they may inadvertently expose private API keys and other sensitive configuration data to unauthorized actors. This exposure can lead to significant confidentiality breaches, as attackers gaining access to API keys could potentially escalate privileges, access backend services, or manipulate data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the core issue is improper handling of sensitive data. The CVSS v3.1 base score is 8.3, reflecting high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are reported in the wild yet, the risk remains significant due to the nature of the exposed data and the ease with which users might share debug packs. The issue has been addressed in version 0.8.3 by improving filtering of sensitive fields during serialization.

For European organizations using autocaliweb versions prior to 0.8.3, this vulnerability poses a substantial risk. Exposure of API keys can lead to unauthorized access to backend systems or services integrated via these keys, potentially resulting in data breaches, unauthorized data manipulation, or service disruptions. Given that autocaliweb interfaces with Calibre databases, which may contain proprietary or sensitive eBook collections, intellectual property theft or leakage of confidential content is possible. Additionally, compromised API keys could be leveraged to pivot attacks within an organization's network, escalating privileges or accessing other connected systems. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where multiple users have access or where debug packs are shared externally for support or troubleshooting. The high impact on confidentiality, integrity, and availability underscores the critical nature of this vulnerability for organizations relying on autocaliweb for eBook management and distribution.

European organizations should immediately verify the version of autocaliweb in use and upgrade to version 0.8.3 or later, where the vulnerability is patched. Beyond upgrading, organizations should implement strict policies governing the generation and sharing of debug packs, ensuring that only authorized personnel can create and distribute them. Debug packs should be scanned for sensitive information before sharing externally. Additionally, organizations should rotate any API keys that may have been exposed through debug packs generated prior to the patch to prevent unauthorized access. Implementing role-based access controls (RBAC) to limit who can generate debug packs and access configuration data can reduce risk. Monitoring and logging access to debug packs and API usage can help detect potential misuse. Finally, educating users about the risks of sharing debug packs without reviewing their contents is essential to prevent inadvertent data leaks.