CVE-2025-24899

CVE-2025-24899 is a vulnerability in reNgine, an automated reconnaissance framework for web applications, that allows an insider attacker with any role, such as Auditor, Penetration Tester, or Sys Admin, to extract sensitive information from other reNgine users. The issue stems from improper access controls on the `/api/listVulnerability/` endpoint, enabling attackers to retrieve details including username, password, email, role, first name, last name, status, and activity information after running a scan on a target. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200.

An authenticated insider with any role in reNgine can exploit this vulnerability by making a GET request to `/api/listVulnerability/` following a scan execution. This grants access to confidential user data across the platform, potentially compromising the privacy and security of other users' accounts, including credentials and personal details.

The vulnerability has been addressed in reNgine version 2.2.0, and all users are advised to upgrade immediately, as no workarounds are available. Details on the fix are provided in the GitHub commit at https://github.com/yogeshojha/rengine/commit/a658b8519f1a3347634b04733cf91ed933af1f99 and the security advisory at https://github.com/yogeshojha/rengine/security/advisories/GHSA-r3fp-xr9f-wv38.