CVE ID: CVE-2025-57266
Publication date: 2025-09-27
Last updated: 2025-09-27
Reporter: candy
Vendor Project: ThriveX Blogging Framework
An issue was discovered in the ThriveX Blogging Framework that allows unauthorized access to sensitive data.
The vulnerability exists in the AssistantController.java component, where insufficient access control permits unauthenticated attackers to query sensitive resources.
- Product: ThriveX Blogging Framework
- Affected versions: 2.5.9 through 3.1.3
- Not affected: Versions prior to 2.5.9 and versions fixed after 3.1.3
- Vulnerability Type: Incorrect Access Control (CWE-284)
- Attack Vector: Remote, unauthenticated
- Impact: Information Disclosure
- Endpoint:
/api/assistant/list - Description:
Unauthenticated attackers can send requests to the/api/assistant/listendpoint and obtain sensitive information, such as API keys used by the application.
The vendor has released a patch to address this issue. Users are strongly advised to upgrade to the latest version of ThriveX Blogging Framework >= 3.1.4, which contains the fix.
For those unable to immediately upgrade, it is recommended to:
- Restrict access to the
/api/assistant/listendpoint via authentication and authorization checks. - Apply additional monitoring for suspicious API requests.