Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54554 PoC — Tera Insights tiCrypt 安全漏洞

Source
https://github.com/Aman-Parmar/CVE-2025-54554
Associated Vulnerability
Title:Tera Insights tiCrypt 安全漏洞 (CVE-2025-54554)
Description:tiaudit in Tera Insights tiCrypt before 2025-07-17 allows unauthenticated REST API requests that reveal sensitive information about the underlying SQL queries and database structure.
Description
CVE-2025-54554 – Unauthenticated Access in tiaudit REST API leading to Sensitive Information Disclosure
Readme
# CVE-2025-54554

# CVE-2025-54554 – Unauthenticated Access in tiaudit REST API leading to Sensitive Information Disclosure

# Discoverer: Amanpreet Parmar | Sr. Security Engineer @Harvard Medical School

# Summary:
CVE-2025-54554 identifies a vulnerability in the tiaudit component of the ticrypt platform, developed by Tera Insights. The issue allows unauthenticated access to REST API endpoints that expose sensitive information about the underlying SQL queries and database structure.

# Description
Prior to July 17, 2025, the tiaudit audit logging service allowed unauthenticated users to access its REST API endpoints. These endpoints disclosed internal SQL query patterns and database schema information without requiring authentication.

Although initially considered expected behavior per the documentation, the vendor has acknowledged this posed an information disclosure risk and agreed that access should be restricted to authenticated users only. A fix has also been implemented and reflected in the documentation referred below.

# Impact
Vulnerability Type: Improper Access Control

Attack Vector: Local (Unauthenticated)

Impact: Information Disclosure

Affected Component: REST API endpoints in tiaudit

Vendor: Tera Insights

Fix Status: Resolved by vendor as of July 25, 2025

Documentation Reference: https://ticrypt.com/docs/ticrypt-backend/audit/rest

# A Note on ticrypt
While this vulnerability was valid, it’s worth stating that the overall security design of ticrypt is outstanding. Its architecture demonstrates deep attention to layered security, least privilege, and cryptographic enforcement of access — especially important for environments governed by standards like NIST 800-171. After reviewing the whitepaper (https://ticrypt.com/whitepaper) and internal components, I was genuinely impressed by protections I hadn’t previously encountered.
File Snapshot

 [4.0K]  /data/pocs/956097a3e5866d99cc79c7801d0d75ab01213ed9
└── [1.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →