Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
PR:L reflects the required free-tier account; I:L captures the business logic bypass granting unauthorized tier capabilities; A:L retained for API flooding risk.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users.
AnalysisAI
Splashin iOS v2.0 fails to enforce server-side rate limiting on location update frequency for free-tier accounts, allowing free users to bypass tier-based restrictions and submit location updates at an unrestricted rate. Confirmed by CPE (cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*), this business logic flaw exposes the platform's API to abuse by any free-tier account holder. A publicly available proof-of-concept is referenced via NVD exploit tag; EPSS sits at 0.36% (28th percentile), indicating low probability of widespread automated exploitation.
Technical ContextAI
Splashin is an iOS application identified by CPE cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*. The flaw represents a server-side business logic enforcement failure: the backend API accepting location update payloads does not validate whether the requesting free-tier user has satisfied the minimum permitted interval since their last submission. This is a textbook client-side restriction without server-side enforcement pattern - the interval restriction exists in application logic but is not enforced at the API layer. No CWE is officially assigned; the closest classifications would be CWE-799 (Improper Control of Interaction Frequency) and CWE-602 (Client-Side Enforcement of Server-Side Security). The 'Information Disclosure' tag noted in the intelligence data conflicts with the CVSS C:N metric; in a location-sharing context, unrestricted update frequency could expose finer-grained location trails than the free tier is designed to permit, though this confidentiality dimension is not reflected in the official CVSS score.
RemediationAI
The primary fix is implementing server-side enforcement of location update intervals for free-tier accounts: the server must persist each user's last accepted update timestamp and reject or queue any subsequent request arriving before the minimum permitted interval, returning HTTP 429 with a Retry-After header to signal rate limiting. This check must occur at the API layer, not the client, to prevent bypass. Until a patched release is available, the vendor can implement a rate-limiting middleware (e.g., token bucket or sliding-window counter keyed to user ID and tier) at the API gateway level - the trade-off is added latency for all location update requests, which is acceptable given the low-frequency nature of the feature. No vendor-released patched version has been identified in available data; the researcher PDF at https://carterlasalle.github.io/splashin-cve-2025/splashin-1.pdf may contain additional remediation details. Users cannot self-remediate at the client level.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today