CVE-2025-53633

CRITICAL
Published Jul 10, 2025 Modified Aug 14, 2025 CWE-405

Description

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 14042aa and shipped in v0.1.4.

CVSS v3.1 Score

9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-405 CWE-405

Affected Products

Vendor Product
ctfer-io chall-manager

References

Frequently Asked Questions

What is CVE-2025-53633? +
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 14042aa and shipped in v0.1.4. It has a CVSS v3.1 base score of 9.8 (CRITICAL).
How severe is CVE-2025-53633? +
CVE-2025-53633 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.
What products are affected by CVE-2025-53633? +
CVE-2025-53633 affects products from ctfer-io, specifically: chall-manager. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-53633? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-56200 8.6

Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image …
CVE-2025-42874 7.9

SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on …
CVE-2024-34703 7.5

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit …
CVE-2025-30204 7.5

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, …
CVE-2024-11187 7.5

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in …
CVE-2025-24356 7.5

fastd is a VPN daemon which tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-53633 — free, no signup required.

Start Free Scan