The vulnerability CVE-2025-65951 affects the entropy-derby betting engine developed by mescuwa, specifically its Verifiable Delay Function (VDF)-based timelock encryption mechanism. The system is designed to enforce a sequential delay in decrypting bet tickets, ensuring that bets remain confidential until a predetermined time. However, prior to the patch in commit 2d38d2f16bbb3b4240698148f80d8c5202725c77, bettors could pre-compute the entire Wesolowski VDF output and include the vdfOutputHex in their encrypted bet tickets. This bypasses the intended sequential delay because the betting house can verify the VDF proof quickly instead of performing the computationally expensive VDF evaluation. As a result, the house can decrypt bets immediately, exposing sensitive betting information prematurely. This flaw constitutes an exposure of sensitive information (CWE-200) and relates to weaknesses in cryptographic implementation (CWE-327). The vulnerability requires network access and high privileges but no user interaction. The impact affects confidentiality and integrity of bet data but does not affect availability. The issue has been fixed in the specified commit, which enforces proper sequential delay and prevents pre-computation attacks.

For European organizations operating or relying on entropy-derby for horse-racing betting, this vulnerability can lead to premature exposure of sensitive betting information. This undermines the fairness and integrity of betting operations, potentially causing financial losses, reputational damage, and regulatory compliance issues under GDPR and gambling regulations. Betting operators could be exploited by malicious bettors or insiders who pre-compute VDF outputs to gain unfair advantages or manipulate outcomes. The breach of confidentiality may also erode customer trust and invite legal scrutiny. Since the vulnerability affects the cryptographic timelock mechanism, it compromises the core security guarantees of the betting engine. Although no availability impact is noted, the integrity and confidentiality breaches are significant for maintaining trust in regulated betting markets across Europe.

Operators should immediately update entropy-derby to versions including or later than commit 2d38d2f16bbb3b4240698148f80d8c5202725c77, which patches the vulnerability by enforcing proper sequential delay in the VDF timelock encryption. Additionally, organizations should audit their betting ticket generation and verification processes to ensure no pre-computed VDF outputs are accepted. Implement strict access controls to limit high-privilege operations to trusted personnel only. Monitoring and logging of betting ticket submissions and decryptions should be enhanced to detect anomalous patterns indicative of pre-computation attempts. Regular cryptographic code reviews and penetration testing focused on VDF implementations are recommended to prevent similar issues. Finally, organizations should engage with regulatory bodies to report remediation status and ensure compliance with data protection and gambling fairness standards.