CVE-2025-59843 is a medium-severity vulnerability affecting the FlagForgeCTF platform, specifically versions from 2.0.0 up to but not including 2.3.1. FlagForgeCTF is a Capture The Flag (CTF) competition platform used for cybersecurity training and competitions. The vulnerability arises from the public API endpoint /api/user/[username], which in the affected versions returns user email addresses in its JSON response. This exposure of private personal information constitutes a CWE-359 issue, where sensitive data is disclosed to unauthorized actors without requiring authentication or user interaction. The vulnerability allows any remote attacker to retrieve email addresses of users simply by querying the public API, potentially enabling targeted phishing, social engineering, or other privacy violations. The issue was addressed in version 2.3.1 by removing email addresses from the public API response while maintaining the endpoint's public accessibility. No workarounds exist, so upgrading to version 2.3.1 or later is the only effective remediation. The CVSS 4.0 base score is 6.9, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited confidentiality impact. There are no known exploits in the wild at this time. The vulnerability primarily impacts confidentiality by exposing user email addresses, but does not affect integrity or availability of the platform. Given the nature of CTF platforms, the user base may include cybersecurity professionals and enthusiasts, making the exposed emails valuable for targeted attacks or spam campaigns. The vulnerability is straightforward to exploit due to the public API and lack of authentication requirements.

For European organizations, the exposure of user email addresses through this vulnerability can lead to increased risk of phishing attacks, spear-phishing, and social engineering campaigns targeting employees or participants involved in cybersecurity training or competitions. Organizations using FlagForgeCTF internally or in training environments may inadvertently expose their staff's contact information, potentially leading to credential theft or broader network compromise if attackers leverage the information effectively. Privacy regulations such as the GDPR impose strict requirements on protecting personal data, including email addresses. This vulnerability could result in non-compliance issues, leading to regulatory fines and reputational damage if exploited or disclosed. Although the vulnerability does not directly compromise system integrity or availability, the indirect consequences of phishing or targeted attacks could be severe, especially in sectors with high cybersecurity sensitivity such as finance, government, and critical infrastructure within Europe.

The primary and only effective mitigation is to upgrade FlagForgeCTF installations to version 2.3.1 or later, where the vulnerability has been patched by removing email addresses from public API responses. Organizations should conduct an inventory of their FlagForgeCTF deployments and prioritize patching to eliminate exposure. Additionally, organizations should monitor network traffic to detect unusual API queries targeting the /api/user/[username] endpoint, which may indicate reconnaissance activity. Implementing rate limiting and anomaly detection on API endpoints can help reduce the risk of mass harvesting of user data. User awareness training should emphasize caution regarding unsolicited emails, especially those that may leverage leaked email addresses. Finally, organizations should review their privacy policies and data handling procedures to ensure compliance with GDPR and other relevant regulations concerning personal data exposure.