CVE-2025-23212

CVE-2025-23212 affects Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and generating shopping lists. The vulnerability resides in the external storage feature, which permits any authenticated user to enumerate the names and contents of arbitrary files on the server, leading to unauthorized information disclosure classified under CWE-200. It has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, and scope change with high confidentiality impact.

An attacker with low-privilege access, such as a registered user on the Tandoor Recipes instance, can exploit this vulnerability remotely without user interaction. By leveraging the flawed external storage functionality, they can systematically probe and retrieve sensitive file contents from the server, potentially exposing configuration files, user data, or other critical information stored outside the application's intended scope.

The vulnerability is addressed in Tandoor Recipes version 1.5.28, as detailed in the project's GitHub security advisory (GHSA-jrgj-35jx-2qq7) and the corresponding commit (36e83a9d0108ac56b9538b45ead57efc8b97c5ff). Security practitioners should upgrade to the patched version and review access controls for external storage configurations to mitigate exposure.