CVE-2025-65951: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in mescuwa entropy-derby
Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f.
AI Analysis
Technical Summary
The vulnerability CVE-2025-65951 affects the entropy-derby betting engine developed by mescuwa, specifically its Verifiable Delay Function (VDF)-based timelock encryption mechanism. The system is designed to enforce a sequential delay in decrypting bet tickets, ensuring that bets remain confidential until a predetermined time. However, prior to the patch in commit 2d38d2f16bbb3b4240698148f80d8c5202725c77, bettors could pre-compute the entire Wesolowski VDF output and include the vdfOutputHex in their encrypted bet tickets. This bypasses the intended sequential delay because the betting house can verify the VDF proof quickly instead of performing the computationally expensive VDF evaluation. As a result, the house can decrypt bets immediately, exposing sensitive betting information prematurely. This flaw constitutes an exposure of sensitive information (CWE-200) and relates to weaknesses in cryptographic implementation (CWE-327). The vulnerability requires network access and high privileges but no user interaction. The impact affects confidentiality and integrity of bet data but does not affect availability. The issue has been fixed in the specified commit, which enforces proper sequential delay and prevents pre-computation attacks.
Potential Impact
For European organizations operating or relying on entropy-derby for horse-racing betting, this vulnerability can lead to premature exposure of sensitive betting information. This undermines the fairness and integrity of betting operations, potentially causing financial losses, reputational damage, and regulatory compliance issues under GDPR and gambling regulations. Betting operators could be exploited by malicious bettors or insiders who pre-compute VDF outputs to gain unfair advantages or manipulate outcomes. The breach of confidentiality may also erode customer trust and invite legal scrutiny. Since the vulnerability affects the cryptographic timelock mechanism, it compromises the core security guarantees of the betting engine. Although no availability impact is noted, the integrity and confidentiality breaches are significant for maintaining trust in regulated betting markets across Europe.
Mitigation Recommendations
Operators should immediately update entropy-derby to versions including or later than commit 2d38d2f16bbb3b4240698148f80d8c5202725c77, which patches the vulnerability by enforcing proper sequential delay in the VDF timelock encryption. Additionally, organizations should audit their betting ticket generation and verification processes to ensure no pre-computed VDF outputs are accepted. Implement strict access controls to limit high-privilege operations to trusted personnel only. Monitoring and logging of betting ticket submissions and decryptions should be enhanced to detect anomalous patterns indicative of pre-computation attempts. Regular cryptographic code reviews and penetration testing focused on VDF implementations are recommended to prevent similar issues. Finally, organizations should engage with regulatory bodies to report remediation status and ensure compliance with data protection and gambling fairness standards.
Affected Countries
United Kingdom, Germany, France, Italy, Spain, Netherlands, Belgium, Sweden
CVE-2025-65951: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in mescuwa entropy-derby
Description
Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f.
AI-Powered Analysis
Technical Analysis
The vulnerability CVE-2025-65951 affects the entropy-derby betting engine developed by mescuwa, specifically its Verifiable Delay Function (VDF)-based timelock encryption mechanism. The system is designed to enforce a sequential delay in decrypting bet tickets, ensuring that bets remain confidential until a predetermined time. However, prior to the patch in commit 2d38d2f16bbb3b4240698148f80d8c5202725c77, bettors could pre-compute the entire Wesolowski VDF output and include the vdfOutputHex in their encrypted bet tickets. This bypasses the intended sequential delay because the betting house can verify the VDF proof quickly instead of performing the computationally expensive VDF evaluation. As a result, the house can decrypt bets immediately, exposing sensitive betting information prematurely. This flaw constitutes an exposure of sensitive information (CWE-200) and relates to weaknesses in cryptographic implementation (CWE-327). The vulnerability requires network access and high privileges but no user interaction. The impact affects confidentiality and integrity of bet data but does not affect availability. The issue has been fixed in the specified commit, which enforces proper sequential delay and prevents pre-computation attacks.
Potential Impact
For European organizations operating or relying on entropy-derby for horse-racing betting, this vulnerability can lead to premature exposure of sensitive betting information. This undermines the fairness and integrity of betting operations, potentially causing financial losses, reputational damage, and regulatory compliance issues under GDPR and gambling regulations. Betting operators could be exploited by malicious bettors or insiders who pre-compute VDF outputs to gain unfair advantages or manipulate outcomes. The breach of confidentiality may also erode customer trust and invite legal scrutiny. Since the vulnerability affects the cryptographic timelock mechanism, it compromises the core security guarantees of the betting engine. Although no availability impact is noted, the integrity and confidentiality breaches are significant for maintaining trust in regulated betting markets across Europe.
Mitigation Recommendations
Operators should immediately update entropy-derby to versions including or later than commit 2d38d2f16bbb3b4240698148f80d8c5202725c77, which patches the vulnerability by enforcing proper sequential delay in the VDF timelock encryption. Additionally, organizations should audit their betting ticket generation and verification processes to ensure no pre-computed VDF outputs are accepted. Implement strict access controls to limit high-privilege operations to trusted personnel only. Monitoring and logging of betting ticket submissions and decryptions should be enhanced to detect anomalous patterns indicative of pre-computation attempts. Regular cryptographic code reviews and penetration testing focused on VDF implementations are recommended to prevent similar issues. Finally, organizations should engage with regulatory bodies to report remediation status and ensure compliance with data protection and gambling fairness standards.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-18T16:14:56.692Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6924fa182a08b12b0e784280
Added to database: 11/25/2025, 12:36:40 AM
Last enriched: 12/2/2025, 4:27:21 AM
Last updated: 1/9/2026, 7:30:54 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-70974: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in Alibaba Fastjson
CriticalCVE-2026-0563: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pagup WP Google Street View (with 360° virtual tour) & Google maps + Local SEO
MediumCVE-2025-15057: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in veronalabs SlimStat Analytics
HighCVE-2025-15055: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in veronalabs SlimStat Analytics
HighCVE-2025-15019: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pagup Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.