CVE-2025-63891 is an information disclosure vulnerability identified in the SourceCodester Simple Online Book Store System. The vulnerability arises because a backup database file (obs_db.sql) is left accessible via a web server endpoint (/obs/database/obs_db.sql) without any authentication or access control. This file contains the entire database dump, including sensitive information such as database schema and credential hashes. An attacker can exploit this by sending an unauthenticated HTTP GET request to the specified URL, retrieving the backup file and thereby gaining access to sensitive data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 7.5, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:H/I:N/A:N). No patches or fixes are currently listed, and no exploits have been reported in the wild yet. The vulnerability's root cause is improper server configuration or failure to restrict access to backup files, a common security oversight in web application deployment.

For European organizations, this vulnerability can lead to significant data breaches involving customer information, internal database structures, and credential hashes. Exposure of credential hashes increases the risk of credential cracking and subsequent unauthorized access to systems, potentially leading to lateral movement or privilege escalation. Organizations relying on the affected SourceCodester system or similar vulnerable web applications may face compliance violations under GDPR due to unauthorized personal data exposure. The breach of database schema details also aids attackers in crafting more targeted attacks. The lack of authentication requirement and ease of exploitation make this vulnerability particularly dangerous, potentially affecting availability indirectly if attackers leverage the disclosed information to disrupt services. The reputational damage and financial penalties from data breaches could be substantial for affected European entities.

Immediate mitigation steps include removing or restricting access to backup files on the web server, ensuring that database dumps are never stored in web-accessible directories. Implement strict access controls and authentication mechanisms for any sensitive files or endpoints. Conduct a thorough audit of the web server and application configuration to identify and secure any other exposed sensitive files. Employ web application firewalls (WAF) to detect and block unauthorized access attempts to sensitive paths. Regularly review and update deployment procedures to prevent accidental exposure of backup or configuration files. Additionally, enforce strong password policies and consider multi-factor authentication to mitigate risks from compromised credential hashes. Organizations should monitor logs for suspicious access patterns and prepare incident response plans in case of exploitation. Finally, coordinate with the vendor or community maintaining the SourceCodester system to obtain patches or updates once available.