Last active
September 11, 2025 09:19
-
-
Save HouqiyuA/4efd1aac7c7c7ab0cd5db48d62541a74 to your computer and use it in GitHub Desktop.
Incorrect Access Control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Description]: | |
| An issue in petstore v1.0.7 allows a remote attacker to perform arbitrary delete operations via the DELETE /pet/{petId} endpoint by bypassing API key authentication. | |
| [Vulnerability Type]: | |
| Incorrect Access Control | |
| [Vendor of Product]: | |
| https://github.com/swagger-api/swagger-petstore | |
| [Affected Product Code Base]: | |
| swagger-petstore - v1.0.7 | |
| [Affected Component]: | |
| All DELETE /pet/{petId} interface requests authenticated with an API key are potentially vulnerable. An attacker can delete a specified petId by forging an API key, regardless of whether they have proper permissions. | |
| [Attack Vectors]: | |
| 1. Invalid API Key Bypass: An attacker constructs a malicious DELETE request using a forged or invalid API key. Due to improper backend authentication, the attacker can delete arbitrary pet records. | |
| 2. Automated Attacks: Attackers can script or automate requests to delete multiple pet records in bulk, causing data loss and potential business disruption. | |
| [PoC]: | |
| https://gist.github.com/HouqiyuA/4efd1aac7c7c7ab0cd5db48d62541a74 | |
| [Reference]: | |
| https://github.com/swagger-api/swagger-petstore | |
| https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml | |
| [CVE]: | |
| CVE-2025-29155 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment