CVE-2025-62614 is an authentication bypass vulnerability categorized under CWE-862 (Missing Authorization) found in the BookLore web application, specifically affecting versions 1.8.1 and earlier. BookLore is a self-hosted platform designed for managing personal book collections. The vulnerability exists in the BookMediaController component, where multiple media-serving endpoints do not enforce proper access control annotations. Additionally, the CoverJwtFilter, which is intended to validate JWT tokens for authorization, improperly allows requests to proceed even when no authentication token is presented. This combination results in unauthenticated users being able to access and download all media content, including book covers, thumbnails, and complete PDF or CBX page content. The exploit requires no authentication, no user interaction, and can be performed remotely over the network. Attackers can enumerate all stored book content and exfiltrate it, completely bypassing the intended 'canDownload' permission checks. The vulnerability was publicly disclosed on October 22, 2025, with a CVSS v4.0 score of 8.7 (high severity), reflecting its ease of exploitation and significant confidentiality impact. The issue has been addressed in a patch (commit b226c43), which adds proper access control annotations and fixes the CoverJwtFilter logic to reject unauthenticated requests. No known exploits are currently reported in the wild.

For European organizations using BookLore to manage digital book collections, this vulnerability poses a serious risk of unauthorized data disclosure. Sensitive or proprietary book content stored in these systems can be fully enumerated and downloaded by any unauthenticated attacker, leading to intellectual property theft, privacy violations, and potential regulatory non-compliance under GDPR and other data protection laws. The breach of confidentiality could damage organizational reputation and result in legal penalties. Since BookLore is self-hosted, organizations with less mature IT security practices may be more vulnerable. The availability and integrity of the system are not directly impacted, but the loss of confidentiality alone is significant. The ease of exploitation and lack of required authentication make this a high-risk threat, especially for institutions such as libraries, educational entities, and publishers that may rely on BookLore for digital asset management.

Organizations should immediately upgrade BookLore installations to versions later than 1.8.1 where the vulnerability is patched. If upgrading is not immediately feasible, administrators must implement strict network-level access controls to restrict access to the BookMediaController endpoints, such as IP whitelisting or VPN-only access. Review and enforce proper authorization annotations on all media-serving endpoints within the application. Audit the CoverJwtFilter or equivalent authentication middleware to ensure it correctly blocks unauthenticated requests. Conduct thorough access control testing and penetration testing focused on media content endpoints. Additionally, monitor logs for unusual access patterns indicative of enumeration attempts. Educate users and administrators about the risk and ensure backups of book content are securely stored. Finally, consider deploying Web Application Firewalls (WAFs) with rules to detect and block unauthorized media access attempts.