CVE-2025-62614 is an authentication bypass vulnerability identified in the BookLore web application, specifically affecting versions 1.8.1 and earlier. BookLore is a self-hosted platform designed for organizing and managing personal book collections. The vulnerability resides in the BookMediaController, where multiple media-serving endpoints lack proper access control annotations, violating CWE-862 (Missing Authorization). The CoverJwtFilter, responsible for validating JWT tokens for access control, erroneously allows requests to proceed even when no authentication token is presented. This flaw enables unauthenticated users to enumerate and download all media content stored within the application, including book covers, thumbnails, and complete page content in PDF or CBX formats. The intended permission check, canDownload, is completely bypassed, allowing full exfiltration of book content without any user credentials or interaction. The vulnerability is remotely exploitable over the network without any privileges or user interaction, making it highly accessible to attackers. The issue was addressed and patched in a subsequent commit (b226c43), which presumably added proper authorization checks and enforced token validation to prevent unauthorized access. Despite the lack of known exploits in the wild, the vulnerability poses a significant risk to confidentiality, as sensitive or copyrighted book collections could be exposed. The CVSS 4.0 base score of 8.7 reflects the critical nature of this flaw, emphasizing its network attack vector, low attack complexity, and no required privileges or user interaction. Organizations running vulnerable versions should prioritize patching to prevent data leakage and potential intellectual property theft.

For European organizations, the impact of CVE-2025-62614 can be substantial, particularly for libraries, educational institutions, publishers, and private collectors using BookLore to manage digital book collections. Unauthorized access to book content could lead to intellectual property theft, violation of copyright laws, and loss of competitive advantage for publishers or authors. Confidentiality breaches may also expose sensitive metadata or annotations associated with the collections. The ability to download entire books without authorization undermines trust in the platform and could result in reputational damage. Additionally, organizations may face legal and regulatory consequences under the EU's GDPR if personal data related to users or book owners is inadvertently exposed. The vulnerability's ease of exploitation and lack of authentication requirements increase the likelihood of automated scanning and mass data exfiltration attempts. This could also facilitate further attacks, such as phishing or social engineering, by leveraging stolen content. Overall, the threat compromises the confidentiality and integrity of digital book collections, posing a high risk to affected European entities.

European organizations using BookLore should immediately upgrade to the latest patched version beyond 1.8.1 that includes the fix for CVE-2025-62614. Until patching is possible, administrators should restrict network access to the BookLore instance, limiting it to trusted internal users via firewall rules or VPNs. Implementing additional web application firewalls (WAF) with custom rules to detect and block unauthorized media access requests can provide temporary protection. Review and enforce strict access control policies on media endpoints, ensuring that all requests require valid authentication tokens and proper authorization checks. Conduct thorough audits of existing permissions and logs to identify any potential unauthorized access or data exfiltration attempts. Educate users and administrators about the risks of running outdated software versions and the importance of timely updates. Finally, consider deploying monitoring solutions to detect anomalous download patterns indicative of exploitation attempts.