Unrated severityNVD Advisory· Published Sep 26, 2025· Updated Jan 28, 2026
FlagForgeCTF Exposes User Emails via Public /api/user/[username] API
CVE-2025-59843
Description
Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2>=2.0.0, <2.3.2+ 1 more
- (no CPE)range: >=2.0.0, <2.3.2
- (no CPE)range: >= 2.0.0, < 2.3.2
Patches
Vulnerability mechanics
References
4- github.com/FlagForgeCTF/flagForge/commit/1b033f1b6e20fbf6df422d5d1afc9b2347528acemitrex_refsource_MISC
- github.com/FlagForgeCTF/flagForge/compare/v2.3.1...v2.3.2mitrex_refsource_MISC
- github.com/FlagForgeCTF/flagForge/releases/tag/v2.3.1mitrex_refsource_MISC
- github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpjmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.