A critical authentication bypass vulnerability exists in the Tarkov Data Manager. This flaw allows any unauthenticated attacker to gain full administrative access to the application by sending a specially crafted request to the login page. Successful exploitation could lead to complete system compromise, data theft, and unauthorized modification of all managed data.

The vulnerability is an authentication bypass located in the application's login endpoint. It stems from a combination of two weaknesses: a JavaScript prototype property access vulnerability (commonly known as Prototype Pollution) and the use of loose equality type coercion in the authentication logic. An unauthenticated attacker can send a specially crafted request, likely a JSON payload, to the login endpoint. This payload manipulates the JavaScript object's prototype, which in turn allows the attacker to trick the server-side authentication check that uses loose equality (e.g., == instead of ===), causing it to incorrectly validate the attacker's session and grant full administrative privileges without requiring any credentials.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation by an unauthenticated attacker grants complete administrative control over the Tarkov Data Manager. This could result in catastrophic business consequences, including the theft, modification, or deletion of sensitive item data, disruption of services relying on this data, and reputational damage. An attacker with admin access could also potentially use the application as a foothold to launch further attacks against the underlying server and other connected systems within the network.

Immediate Action: The primary and most effective remediation is to update all instances of The Tarkov Data Manager to the latest version, which contains the security patches released on 02 January 2025. After patching, it is crucial to review access logs for any signs of compromise prior to the update, such as successful administrative logins from unknown IP addresses.

Proactive Monitoring: Implement enhanced monitoring of the application's login endpoint. Security teams should look for unusual or malformed HTTP requests, particularly those containing JSON payloads with suspicious keys like __proto__, constructor, or prototype. Alert on successful administrative logins that do not correlate with legitimate administrator activity or originate from untrusted network locations.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk of exploitation. Place the application behind a Web Application Firewall (WAF) with rules configured to detect and block common prototype pollution attack patterns. Additionally, restrict network access to the admin panel, allowing connections only from trusted IP addresses or requiring users to connect via a VPN.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the ability for an unauthenticated attacker to achieve full system compromise, this vulnerability represents an immediate and severe risk. We strongly recommend that organizations identify all affected instances of The Tarkov Data Manager and apply the vendor-provided patches without delay. Due to the high likelihood of exploit development, this vulnerability should be treated with the highest priority, regardless of its current absence from the CISA KEV catalog.