CVE-2025-55165 is a high-severity vulnerability affecting versions of the gelbphoenix autocaliweb web application prior to 0.8.3. Autocaliweb is designed to provide an interface for browsing, reading, and downloading eBooks from a valid Calibre database. The vulnerability arises from the way the application generates debug packs, which are intended to assist in troubleshooting. Specifically, the to_dict() method used to serialize the application's configuration data for these debug packs does not properly filter out sensitive information such as API keys and tokens. As a result, when users generate and share debug packs, they may inadvertently expose sensitive configuration details to unauthorized actors. This exposure can lead to significant confidentiality breaches, as API keys often grant access to backend services or third-party integrations. The vulnerability requires local access with low privileges and some user interaction (sharing the debug pack), but due to the sensitive nature of the leaked data, the impact on confidentiality, integrity, and availability is high. The vulnerability has been addressed in version 0.8.3 of autocaliweb, which properly sanitizes sensitive fields before including them in debug packs. No known exploits are currently reported in the wild, but the high CVSS score of 8.3 reflects the potential severity if exploited.

For European organizations using autocaliweb versions prior to 0.8.3, this vulnerability poses a significant risk of sensitive information leakage. Exposure of API keys can lead to unauthorized access to backend systems, data exfiltration, or manipulation of services integrated via those keys. This can compromise the confidentiality and integrity of organizational data and potentially disrupt availability if attackers leverage the keys to perform malicious actions. Organizations relying on autocaliweb for eBook management or distribution may face operational disruptions and reputational damage if sensitive data is leaked. Additionally, given the interconnected nature of IT environments, leaked API keys could be used as pivot points for broader network intrusions. The fact that the vulnerability requires some user interaction (sharing debug packs) means that insider awareness and training are critical to prevent accidental exposure. The absence of known exploits in the wild suggests that proactive patching and mitigation can effectively reduce risk before exploitation occurs.

1. Immediate upgrade to autocaliweb version 0.8.3 or later, which includes the patch that properly sanitizes debug pack contents. 2. Audit existing debug packs that may have been generated and shared to identify any potential exposure of API keys or other sensitive data. 3. Rotate all API keys and tokens that were included in debug packs generated by vulnerable versions to invalidate potentially compromised credentials. 4. Implement strict access controls and monitoring around the generation and sharing of debug packs to ensure only authorized personnel can create and distribute them. 5. Educate users about the risks of sharing debug packs and establish clear policies for handling diagnostic data containing sensitive information. 6. Consider implementing automated scanning tools to detect sensitive data exposure in debug or log files before they are shared externally. 7. Monitor network and application logs for unusual activity that could indicate misuse of leaked API keys.