CVE-2025-42616— CSRF vulnerability in CIRCL Vulnerability-Lookup
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-42616
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CSRF vulnerability in CIRCL Vulnerability-Lookup
Source: NVD (National Vulnerability Database)
Vulnerability Description
Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user’s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user’s explicit consent or awareness. The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vulnerability-Lookup 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vulnerability-Lookup是Vulnerability-Lookup开源的一个管理披露漏洞的平台。 Vulnerability-Lookup 2.18.0之前版本存在安全漏洞,该漏洞源于HTTP GET请求可修改应用状态,可能导致跨站请求伪造攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| CIRCL | Vulnerability-Lookup | 0 ~ 2.18.0 | - |
II. Public POCs for CVE-2025-42616
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-42616
请登录查看更多情报信息。
- https://vulnerability.circl.lu/vuln/gcve-1-2025-0034vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-42616
Same Patch Batch · CIRCL · 2025-12-08 · 3 CVEs total
| CVE-2025-42615 | Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerabi | |
| CVE-2025-42620 | CSRF vulnerability in CIRCL Vulnerability-Lookup |
IV. Related Vulnerabilities
Same weakness: CWE-352
- CVE-2021-47953
OpenCart 3.0.3.7 Cross-Site Request Forgery via account/pass - CVE-2021-47946
OpenCart 3.0.36 Account Takeover via Cross Site Request Forg - CVE-2022-50955
WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery - CVE-2026-8194
osTicket Dispatcher class.dispatcher.php cross-site request - CVE-2026-42286
Emlog: Cross-Site Request Forgery in Admin Functions
V. Comments for CVE-2025-42616
No comments yet