CVE-2025-24899
Published: 03 February 2025
Summary
CVE-2025-24899 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Yogeshojha Rengine. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 directly enforces proper access authorizations on the /api/listVulnerability/ endpoint to prevent any-role insiders from extracting other users' sensitive information.
AC-6 implements least privilege to ensure roles like Auditor or Penetration Tester cannot access credentials and personal details of other reNgine users.
AC-24 enables role-based access control decisions for system resources like the vulnerable API, restricting unauthorized data retrieval.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes usernames, passwords, emails, and other account details from other users via an improperly access-controlled API endpoint, directly enabling adversaries to obtain unsecured credentials.
NVD Description
reNgine is an automated reconnaissance framework for web applications. A vulnerability was discovered in reNgine, where **an insider attacker with any role** (such as Auditor, Penetration Tester, or Sys Admin) **can extract sensitive information from other reNgine users.** After running…
more
a scan and obtaining vulnerabilities from a target, the attacker can retrieve details such as `username`, `password`, `email`, `role`, `first name`, `last name`, `status`, and `activity information` by making a GET request to `/api/listVulnerability/`. This issue has been addressed in version 2.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-24899 is a vulnerability in reNgine, an automated reconnaissance framework for web applications, that allows an insider attacker with any role, such as Auditor, Penetration Tester, or Sys Admin, to extract sensitive information from other reNgine users. The issue stems from improper access controls on the `/api/listVulnerability/` endpoint, enabling attackers to retrieve details including username, password, email, role, first name, last name, status, and activity information after running a scan on a target. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200.
An authenticated insider with any role in reNgine can exploit this vulnerability by making a GET request to `/api/listVulnerability/` following a scan execution. This grants access to confidential user data across the platform, potentially compromising the privacy and security of other users' accounts, including credentials and personal details.
The vulnerability has been addressed in reNgine version 2.2.0, and all users are advised to upgrade immediately, as no workarounds are available. Details on the fix are provided in the GitHub commit at https://github.com/yogeshojha/rengine/commit/a658b8519f1a3347634b04733cf91ed933af1f99 and the security advisory at https://github.com/yogeshojha/rengine/security/advisories/GHSA-r3fp-xr9f-wv38.
Details
- CWE(s)