CVE-2025-53633 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-53633 PUBLISHED CVSS 8.699999809265137 HIGH

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 14042aa and shipped in v0.1.4.

EPSS 0.11% · 29.2th percentile

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.11%

29.2th percentile

Affected Products

Vendor	Product	Versions
ctfer-io	chall-manager	< 0.1.4, 0
github.com	ctfer-io/chall-manager	0

Timeline

Jan 21, 1970 Security Advisory
Jul 10, 2025 CVE Published
Jul 10, 2025 Coalition ESS Score
Jul 10, 2025 Coalition ESS Score
Jul 11, 2025 EPSS Score
Jul 15, 2025 Coalition ESS Score
Jul 20, 2025 EPSS Score
Jul 29, 2025 EPSS Score
Aug 7, 2025 EPSS Score
Aug 14, 2025 Coalition ESS Score
Aug 15, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score

References

Open in Interactive Console →