FlagForgeCTF's flagForge platform, widely used for Capture The Flag cybersecurity competitions, contains a vulnerability identified as CVE-2025-59843. This vulnerability arises from the public API endpoint /api/user/[username] returning user email addresses in its JSON response for versions 2.0.0 up to but not including 2.3.2. The exposure of email addresses constitutes an information disclosure vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The flaw allows any unauthenticated attacker to query the endpoint with arbitrary usernames and retrieve associated email addresses without any authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, primarily due to the ease of exploitation (network accessible, no authentication required) and the limited impact confined to confidentiality (email addresses only). The fix, introduced in version 2.3.2, removes email addresses from the public API response while maintaining endpoint accessibility, thus preserving functionality without compromising privacy. No known exploits have been reported in the wild, but the exposed email addresses can be leveraged for phishing campaigns, spam, or further social engineering attacks targeting users of the platform. Since no workarounds exist, upgrading to version 2.3.2 or later is the only effective mitigation. Organizations running flagForge instances should prioritize patching to prevent unauthorized data disclosure and protect user privacy.

For European organizations utilizing flagForge for CTF events, this vulnerability poses a privacy risk by exposing user email addresses publicly. The unauthorized disclosure can lead to increased phishing attacks, spear-phishing, and social engineering targeting employees or participants, potentially resulting in credential theft or malware infections. While the vulnerability does not directly compromise system integrity or availability, the indirect consequences of successful phishing can be severe, including data breaches or network compromise. Organizations subject to GDPR and other data protection regulations face compliance risks due to the exposure of personal data, which could result in regulatory penalties and reputational damage. The impact is particularly significant for organizations hosting large-scale or public CTF events with many participants, increasing the volume of exposed personal information. Additionally, the vulnerability could undermine trust in the platform and the organization's cybersecurity posture. Prompt remediation is critical to mitigate these risks and maintain compliance with European data privacy standards.

The primary mitigation is to upgrade all flagForge instances to version 2.3.2 or later, where the vulnerability is fixed by removing email addresses from the public API responses. Since no workarounds exist, patching is mandatory. Organizations should also audit their current user data exposure to assess the extent of information disclosed. Implementing network-level access controls or API gateways to restrict access to the /api/user/[username] endpoint could provide temporary risk reduction but may impact platform functionality. Monitoring for unusual API access patterns can help detect potential exploitation attempts. Additionally, organizations should educate users about phishing risks and implement strong email filtering and anti-phishing technologies to mitigate the impact of exposed email addresses. Reviewing and updating privacy policies and incident response plans to address potential data exposure incidents is advisable. Finally, maintain regular updates and vulnerability management practices to promptly address future security issues.