CVE-2025-63891 is a critical information disclosure vulnerability found in the SourceCodester Simple Online Book Store System. The vulnerability arises because a backup SQL file, obs_db.sql, containing the entire database dump—including schema definitions and credential hashes—is stored in a web-accessible directory (/obs/database/) without proper access controls. An unauthenticated attacker can exploit this by sending a simple HTTP GET request to the file's URL, retrieving sensitive data without any authentication or user interaction. The exposed database contents can include personally identifiable information, user credentials (hashed passwords), and internal database schema details, which can facilitate further attacks such as credential cracking, privilege escalation, or lateral movement within the affected organization. The vulnerability is due to insecure file handling and improper server configuration that fails to restrict access to backup files. No patches or fixes are currently documented, and no CVSS score has been assigned, indicating this is a newly published vulnerability. Although no known exploits have been reported in the wild, the ease of exploitation and the sensitivity of the exposed data make this a high-risk issue. Organizations using this software must urgently audit their web servers for exposed backup files and implement strict access controls to prevent unauthorized data disclosure.

For European organizations, the impact of CVE-2025-63891 can be severe. Disclosure of full database contents compromises confidentiality, exposing customer personal data and credential hashes, which can lead to identity theft, fraud, and regulatory non-compliance under GDPR. The integrity of the system may be indirectly affected if attackers use the leaked schema and credentials to escalate privileges or inject malicious data. Availability is less directly impacted but could be affected if attackers leverage the information to disrupt services. The breach of credential hashes increases the risk of account takeover, especially if weak hashing algorithms or passwords are used. European e-commerce businesses relying on the affected software face reputational damage and potential financial penalties. The vulnerability's ease of exploitation and lack of authentication requirements mean that attackers can operate stealthily and at scale, increasing the threat to organizations across Europe.

1. Immediately audit all web-accessible directories for backup or sensitive files such as obs_db.sql and remove or relocate them outside the web root. 2. Implement strict access controls on backup files, ensuring they are not accessible via HTTP without authentication. 3. Configure web servers to deny access to sensitive file types or directories that should not be publicly accessible. 4. Adopt secure development lifecycle practices to prevent inclusion of backup files in deployment environments. 5. Use environment-specific configurations to separate development/test backups from production systems. 6. Regularly scan web applications and servers for exposed sensitive files using automated tools. 7. If credential hashes are exposed, enforce password resets and consider implementing multi-factor authentication to mitigate compromised credentials. 8. Monitor logs for unusual access patterns to backup files or database exports. 9. Stay updated with vendor patches or advisories related to this vulnerability and apply them promptly once available.