CVE-2025-14317

In Crazy Bubble Tea mobile application authenticated attacker canobtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Serverdoes not verify the permissions required to obtain the data.


This issue was fixed in version915 (Android) and 7.4.1 (iOS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
CERT-PLCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://cert.pl/posts/2026/01/CVE-2025-14317
https://crazybubble.pl/aplikacja-crazy-bubble/