Unrated severityNVD Advisory· Published Sep 24, 2025· Updated Sep 24, 2025

FlagForgeCTF Hint Exposure via API

CVE-2025-59833

Description

Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0.

Affected products

Flagforgectf/Flagforgev5
Range: >= 2.1.0, < 2.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-hm85-2j65-j8j2mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000