CVE-2025-53633
Published: 10 July 2025
Summary
CVE-2025-53633 is a critical-severity Amplification (CWE-405) vulnerability in Ctfer-Io Chall-Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates validation of zip archive inputs during scenario decoding to enforce decoded content size checks, directly preventing zip bomb decompression.
Enforces restrictions on zip file inputs such as maximum sizes and expansion ratios to block processing of malicious zip bombs.
Implements denial-of-service protections to limit resource exhaustion effects from unauthenticated zip bomb attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Chall-Manager via malicious zip input directly maps to T1190; resulting application-level resource exhaustion/DoS via decompression abuse maps to T1499.004.
NVD Description
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not…
more
require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 14042aa and shipped in v0.1.4.
Deeper analysisAI
CVE-2025-53633 affects Chall-Manager, a platform-agnostic system designed to start challenges on demand for players. The vulnerability arises during the decoding of scenarios, which are zip archives, where the size of the decoded content is not checked. This flaw enables the decompression of zip bombs, leading to asymmetric resource consumption as described by CWE-405. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
The vulnerability can be exploited by unauthenticated attackers with network access to the Chall-Manager instance, requiring no authorization. Successful exploitation allows attackers to trigger massive resource exhaustion through specially crafted zip bombs, potentially resulting in high-impact denial of service, as well as impacts to confidentiality, integrity, and availability per the CVSS vector. Although the Chall-Manager documentation highly recommends deploying the system deep within infrastructure to prevent direct user access due to its extensive capabilities, exposure could still enable remote exploitation.
Mitigation is available through a patch implemented in commit 14042aa, which has been shipped in version v0.1.4 of Chall-Manager. Security practitioners should update to this version promptly. Additional details are provided in the project's security advisory (GHSA-r7fm-3pqm-ww5w), the patch commit, and the release notes.
Details
- CWE(s)