FlagForgeCTF's flagForge platform, used for Capture The Flag competitions, contained a critical security flaw identified as CVE-2025-61777. In versions from 2.0.0 up to but not including 2.3.2, the administrative API endpoints /api/admin/badge-templates (GET) and /api/admin/badge-templates/create (POST) were accessible without any authentication or authorization checks. This lack of access control allowed any unauthenticated user to retrieve all badge templates along with sensitive metadata fields such as createdBy, createdAt, and updatedAt. Furthermore, attackers could create arbitrary badge templates in the database, potentially polluting the data and abusing the badge system's integrity. These actions compromise confidentiality by exposing sensitive information, integrity by allowing unauthorized data modification, and availability to a lesser extent due to possible database pollution. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information), CWE-284 (Improper Access Control), and CWE-306 (Missing Authentication for Critical Function). The CVSS v3.1 base score is 9.4 (critical), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality and integrity. The issue was addressed in flagForge version 2.3.2 by enforcing authentication on all GET, POST, UPDATE, and DELETE badge template endpoints and restricting access to admin users only. No reliable workarounds exist, so patching is the primary mitigation. There are no known exploits in the wild as of the publication date, but the severity and ease of exploitation make prompt remediation essential.

For European organizations using flagForge versions between 2.0.0 and 2.3.1, this vulnerability poses a significant risk. Unauthorized access to badge templates can lead to exposure of sensitive metadata, which may include user identifiers and timestamps, potentially aiding further reconnaissance or social engineering attacks. The ability to create arbitrary badge templates could allow attackers to manipulate competition results or disrupt event integrity, undermining trust in the platform. In environments where flagForge is integrated with other systems or used for official training or certification, data pollution could have cascading effects on reporting and auditing. Although availability impact is low, the confidentiality and integrity breaches could lead to reputational damage, compliance issues under GDPR due to unauthorized data exposure, and operational disruptions. Given the network-exploitable nature without authentication, attackers can easily target exposed flagForge instances, making this a critical concern for European CTF organizers, educational institutions, and cybersecurity training providers.

The primary mitigation is to upgrade all affected flagForge instances to version 2.3.2 or later, where authentication and admin-only authorization are enforced on all badge template endpoints. Organizations should immediately audit their deployments to identify vulnerable versions. If immediate patching is not feasible, restrict network access to the administrative API endpoints using firewalls or VPNs to limit exposure to trusted users only. Implement rigorous monitoring and logging of API access to detect any unauthorized attempts to access or modify badge templates. Review badge template data for signs of unauthorized creation or modification and restore from backups if necessary. Additionally, enforce strong authentication mechanisms for admin users and consider multi-factor authentication to reduce risk of credential compromise. Regularly review and update access control policies to ensure least privilege principles are applied. Finally, educate staff and users about the risks and signs of abuse related to this vulnerability.