Cyber Resilience

CVE-2025-23044

MediumPublic PoC

Published: 20 January 2025

Published
20 January 2025
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0040 61.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23044 is a medium-severity CSRF (CWE-352) vulnerability in Pwndoc Project Pwndoc. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-23044 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting PwnDoc, an open-source penetration test report generator. The issue stems from a lack of CSRF protection in pwndoc, including the absence of the SameSite attribute on cookies and the ability to refresh cookies. This allows attackers to send both GET and POST requests on behalf of authenticated users. The vulnerability received a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and was published on January 20, 2025.

Attackers can exploit this vulnerability remotely over the network without requiring privileges, but it demands high attack complexity and user interaction, such as tricking a logged-in user into visiting a malicious site. Successful exploitation enables the attacker to perform actions on the victim's behalf, potentially leading to high confidentiality and integrity impacts, such as unauthorized data access or modification through forged requests.

Mitigation is available via commit 14acb704891245bf1703ce6296d62112e85aa995 in the pwndoc repository, which patches the CSRF protection deficiencies. Additional details are provided in the GitHub security advisory at GHSA-9v2v-jxvw-52rq.

EU & UK References

Vulnerability details

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the…

more

ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability in public-facing PwnDoc web app directly enables T1190 (Exploit Public-Facing Application) for forged authenticated requests leading to unauthorized data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27410Same product: Pwndoc Project Pwndoc
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352

Affected Assets

pwndoc project
pwndoc
≤ 0.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires mechanisms to protect communications session authenticity, directly mitigating CSRF by validating requests through tokens or SameSite cookies to prevent forged actions on authenticated users' behalf.

prevent

Mandates management of authenticators like session cookies, including secure attributes such as SameSite to block their transmission in cross-site requests exploited in this CVE.

prevent

Establishes and enforces secure configuration settings for web applications and cookies, addressing the missing SameSite attribute and lack of CSRF protections specified in the CVE.

References