CVE-2025-23212
Published: 28 January 2025
Summary
CVE-2025-23212 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Tandoor Recipes. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for logical access, directly preventing low-privileged users from enumerating and accessing arbitrary server files via the flawed external storage feature.
SI-10 validates inputs to the external storage feature, blocking path traversal or arbitrary file access attempts that enable unauthorized information disclosure.
AC-6 applies least privilege to restrict user access rights, limiting the scope and impact of exploitation by any authenticated user on the external storage functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly allows authenticated remote users to enumerate names and retrieve contents of arbitrary server files via flawed external storage, enabling File and Directory Discovery (T1083) and Data from Local System (T1005).
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28.
Deeper analysisAI
CVE-2025-23212 affects Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and generating shopping lists. The vulnerability resides in the external storage feature, which permits any authenticated user to enumerate the names and contents of arbitrary files on the server, leading to unauthorized information disclosure classified under CWE-200. It has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, and scope change with high confidentiality impact.
An attacker with low-privilege access, such as a registered user on the Tandoor Recipes instance, can exploit this vulnerability remotely without user interaction. By leveraging the flawed external storage functionality, they can systematically probe and retrieve sensitive file contents from the server, potentially exposing configuration files, user data, or other critical information stored outside the application's intended scope.
The vulnerability is addressed in Tandoor Recipes version 1.5.28, as detailed in the project's GitHub security advisory (GHSA-jrgj-35jx-2qq7) and the corresponding commit (36e83a9d0108ac56b9538b45ead57efc8b97c5ff). Security practitioners should upgrade to the patched version and review access controls for external storage configurations to mitigate exposure.
Details
- CWE(s)