CVE-2025-42616

08.12.2025, 13:15

Some endpoints in vulnerability-lookup that modified
application state (e.g. changing database entries, user data,
configurations, or other privileged actions) may have been accessible
via HTTP GET requests without requiring a CSRF token. This flaw leaves
the application vulnerable to Cross-Site Request Forgery (CSRF) attacks:
an attacker who tricks a logged-in user into visiting a malicious
website could cause the users browser to issue GET requests that
perform unintended state-changing operations in the context of their
authenticated session.

Because the server would treat these GET requests as valid (since no
CSRF protection or POST method enforcement was in place), the attacker
could exploit this to escalate privileges, change settings, or carry out
other unauthorized actions without needing the users explicit consent
or awareness.
The fix ensures that all state-changing endpoints now require HTTP POST
requests and include a valid CSRF token. This enforces that state
changes cannot be triggered by arbitrary cross-site GET requests.This issue affects Vulnerability-Lookup: before 2.18.0.

CSRF

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
ENISA	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://vulnerability.circl.lu/vuln/gcve-1-2025-0034