CVE-2025-71377
Stoatchat · Stoatchat
Stoatchat is vulnerable to an unrestricted message history fetch due to a comparison using wrong factors, potentially leading to unauthorized data access.
Executive summary
Stoatchat versions before 20250210-1 contain a logic error that permits unauthorized access to message history, posing a high risk to data confidentiality.
Vulnerability
The software suffers from CWE-1025, which is a comparison using the wrong factors during authentication or authorization checks. An unauthenticated attacker can exploit this logic flaw to retrieve message history that should be restricted.
Business impact
Successful exploitation allows unauthorized parties to access sensitive communication history, leading to potential data breaches and violations of privacy regulations. With a CVSS score of 8.7, this vulnerability is critical for organizations relying on Stoatchat for internal or external messaging, as it compromises the confidentiality of stored data.
Remediation
Immediate Action: Update Stoatchat to version 20250210-1 (0.8.2) or later to rectify the flawed logic used in data access comparisons.
Proactive Monitoring: Review application access logs for unusual patterns of message retrieval or requests originating from unauthorized users.
Compensating Controls: If an immediate update is not feasible, restrict access to the messaging server at the network level to trusted IP ranges only.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The vulnerability in Stoatchat directly threatens the confidentiality of user communications. We strongly recommend applying the latest security updates immediately to ensure that access control comparisons are performed correctly and that message history remains protected.