CVE-2025-55165: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in gelbphoenix autocaliweb
Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3.
AI Analysis
Technical Summary
CVE-2025-55165 is a high-severity vulnerability affecting versions of the gelbphoenix autocaliweb web application prior to 0.8.3. Autocaliweb is designed to provide a web interface for browsing, reading, and downloading eBooks from a valid Calibre database. The vulnerability arises from the way the application generates debug packs, which are intended to assist in troubleshooting by serializing configuration data using the to_dict() method. However, this serialization process does not properly filter out sensitive information such as API keys and tokens. As a result, when users generate and share these debug packs—often without full awareness of their contents—they may inadvertently expose private API keys and other sensitive configuration data to unauthorized actors. This exposure can lead to significant confidentiality breaches, as attackers gaining access to API keys could potentially escalate privileges, access backend services, or manipulate data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the core issue is improper handling of sensitive data. The CVSS v3.1 base score is 8.3, reflecting high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are reported in the wild yet, the risk remains significant due to the nature of the exposed data and the ease with which users might share debug packs. The issue has been addressed in version 0.8.3 by improving filtering of sensitive fields during serialization.
Potential Impact
For European organizations using autocaliweb versions prior to 0.8.3, this vulnerability poses a substantial risk. Exposure of API keys can lead to unauthorized access to backend systems or services integrated via these keys, potentially resulting in data breaches, unauthorized data manipulation, or service disruptions. Given that autocaliweb interfaces with Calibre databases, which may contain proprietary or sensitive eBook collections, intellectual property theft or leakage of confidential content is possible. Additionally, compromised API keys could be leveraged to pivot attacks within an organization's network, escalating privileges or accessing other connected systems. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where multiple users have access or where debug packs are shared externally for support or troubleshooting. The high impact on confidentiality, integrity, and availability underscores the critical nature of this vulnerability for organizations relying on autocaliweb for eBook management and distribution.
Mitigation Recommendations
European organizations should immediately verify the version of autocaliweb in use and upgrade to version 0.8.3 or later, where the vulnerability is patched. Beyond upgrading, organizations should implement strict policies governing the generation and sharing of debug packs, ensuring that only authorized personnel can create and distribute them. Debug packs should be scanned for sensitive information before sharing externally. Additionally, organizations should rotate any API keys that may have been exposed through debug packs generated prior to the patch to prevent unauthorized access. Implementing role-based access controls (RBAC) to limit who can generate debug packs and access configuration data can reduce risk. Monitoring and logging access to debug packs and API usage can help detect potential misuse. Finally, educating users about the risks of sharing debug packs without reviewing their contents is essential to prevent inadvertent data leaks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy
CVE-2025-55165: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in gelbphoenix autocaliweb
Description
Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3.
AI-Powered Analysis
Technical Analysis
CVE-2025-55165 is a high-severity vulnerability affecting versions of the gelbphoenix autocaliweb web application prior to 0.8.3. Autocaliweb is designed to provide a web interface for browsing, reading, and downloading eBooks from a valid Calibre database. The vulnerability arises from the way the application generates debug packs, which are intended to assist in troubleshooting by serializing configuration data using the to_dict() method. However, this serialization process does not properly filter out sensitive information such as API keys and tokens. As a result, when users generate and share these debug packs—often without full awareness of their contents—they may inadvertently expose private API keys and other sensitive configuration data to unauthorized actors. This exposure can lead to significant confidentiality breaches, as attackers gaining access to API keys could potentially escalate privileges, access backend services, or manipulate data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the core issue is improper handling of sensitive data. The CVSS v3.1 base score is 8.3, reflecting high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are reported in the wild yet, the risk remains significant due to the nature of the exposed data and the ease with which users might share debug packs. The issue has been addressed in version 0.8.3 by improving filtering of sensitive fields during serialization.
Potential Impact
For European organizations using autocaliweb versions prior to 0.8.3, this vulnerability poses a substantial risk. Exposure of API keys can lead to unauthorized access to backend systems or services integrated via these keys, potentially resulting in data breaches, unauthorized data manipulation, or service disruptions. Given that autocaliweb interfaces with Calibre databases, which may contain proprietary or sensitive eBook collections, intellectual property theft or leakage of confidential content is possible. Additionally, compromised API keys could be leveraged to pivot attacks within an organization's network, escalating privileges or accessing other connected systems. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where multiple users have access or where debug packs are shared externally for support or troubleshooting. The high impact on confidentiality, integrity, and availability underscores the critical nature of this vulnerability for organizations relying on autocaliweb for eBook management and distribution.
Mitigation Recommendations
European organizations should immediately verify the version of autocaliweb in use and upgrade to version 0.8.3 or later, where the vulnerability is patched. Beyond upgrading, organizations should implement strict policies governing the generation and sharing of debug packs, ensuring that only authorized personnel can create and distribute them. Debug packs should be scanned for sensitive information before sharing externally. Additionally, organizations should rotate any API keys that may have been exposed through debug packs generated prior to the patch to prevent unauthorized access. Implementing role-based access controls (RBAC) to limit who can generate debug packs and access configuration data can reduce risk. Monitoring and logging access to debug packs and API usage can help detect potential misuse. Finally, educating users about the risks of sharing debug packs without reviewing their contents is essential to prevent inadvertent data leaks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-08-07T18:27:23.307Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 689bac14ad5a09ad0036c6c9
Added to database: 8/12/2025, 9:03:16 PM
Last enriched: 8/12/2025, 9:18:00 PM
Last updated: 8/19/2025, 12:34:29 AM
Views: 10
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.