CVE-2025-61777 is a critical security vulnerability affecting the FlagForgeCTF platform's flagForge product, specifically versions from 2.0.0 up to but not including 2.3.2. The vulnerability stems from the lack of authentication and authorization enforcement on the administrative API endpoints `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST). These endpoints previously allowed any unauthenticated user to retrieve all badge templates along with sensitive metadata fields such as `createdBy`, `createdAt`, and `updatedAt`. Additionally, attackers could create arbitrary badge templates in the database without any restrictions. This exposure of sensitive information corresponds to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), while the absence of proper authorization and authentication checks relates to CWE-284 and CWE-306 respectively. The impact includes unauthorized data disclosure, potential database pollution through malicious badge template creation, and abuse of the badge system which could undermine the integrity of the CTF platform. The vulnerability is remotely exploitable without any user interaction or privileges, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The flaw was addressed in FlagForge version 2.3.2 by enforcing authentication on all GET, POST, UPDATE, and DELETE badge template endpoints and restricting access to admin users only. No reliable workarounds are available, making patching the only effective mitigation. There are no known exploits in the wild at the time of publication, but the high severity and ease of exploitation make this a critical threat to affected deployments.

For European organizations, especially those involved in cybersecurity training, education, or competitions using the FlagForgeCTF platform, this vulnerability poses significant risks. Unauthorized access to badge templates can lead to exposure of sensitive metadata about badge creation and modification, potentially revealing internal operational details or user information. The ability to create arbitrary badge templates can corrupt the integrity of the badge system, misleading participants or undermining trust in competition results. This could also be leveraged to escalate attacks by injecting malicious data or triggering further vulnerabilities in the platform. The exposure and manipulation of administrative resources without authentication can damage organizational reputation and lead to compliance issues under GDPR due to unauthorized data exposure. Since the vulnerability requires no authentication or user interaction, any exposed instance of vulnerable flagForge versions is at immediate risk of compromise. The disruption of CTF platforms can impact training programs and security awareness initiatives critical to European cybersecurity readiness.

The primary mitigation is to upgrade all affected FlagForgeCTF flagForge instances to version 2.3.2 or later, where authentication and authorization checks are properly enforced on all badge template endpoints. Organizations should audit their deployments to identify any running vulnerable versions (>=2.0.0 and <2.3.2) and prioritize patching. Network-level controls should be implemented to restrict access to administrative API endpoints, ideally limiting them to trusted internal networks or VPNs. Monitoring and logging access to these endpoints should be enabled to detect any anomalous or unauthorized activity. If immediate patching is not feasible, temporarily disabling or firewalling the `/api/admin/badge-templates` endpoints can reduce exposure, though this may impact platform functionality. Additionally, organizations should review badge template data for signs of unauthorized creation or modification and validate the integrity of their CTF platform data. Regular security assessments and penetration testing of CTF platforms are recommended to detect similar issues proactively.