CVE-2025-8797
Published: 10 August 2025
Summary
CVE-2025-8797 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Litmuschaos Litmus. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables privilege escalation by manipulating the projectRole in browser localStorage (due to missing backend validation), facilitating exploitation of a software vulnerability for privilege escalation (T1068) and permissions modification akin to file/directory permissions weakness handling (T1222, as cited in VulDB advisory).
NVD Description
A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. This issue affects some unknown processing of the component LocalStorage Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has…
more
been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-8797 is a critical vulnerability in LitmusChaos Litmus versions up to 3.19.0, affecting an unknown processing component known as the LocalStorage Handler. The issue involves manipulation that leads to permission problems, classified under CWE-266 (Incorrect Privilege Assignment) and CWE-275 (Permission Issues). It carries a CVSS v3.1 base score of 6.3, reflecting network accessibility with low attack complexity.
A remote attacker with low privileges (PR:L) can exploit this vulnerability without user interaction, achieving low impacts on confidentiality, integrity, and availability. The manipulation targets the LocalStorage Handler, enabling unauthorized permission changes that could allow limited data exposure, modification, or disruption within the affected Litmus instance.
Advisories from VulDB detail the issue, noting that the exploit has been publicly disclosed and may be in use, with the vendor contacted early but providing no response. References include VulDB entries (ctiid.319325, id.319325, submit.625991) and a GitHub repository (MaiqueSilva/VulnDB readme07.md), but no patches or official mitigations are specified.
The exploit disclosure increases the risk of active exploitation in unpatched LitmusChaos Litmus deployments up to version 3.19.0.
Details
- CWE(s)