Skip to main content

CVE-2025-60949

| EUVD-2025-208954 CRITICAL
Information Exposure (CWE-200)
2026-03-23 cisa-cg GHSA-2926-f789-68jv
Information Disclosure
9.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
8.1.0
PoC Detected
Mar 25, 2026 - 21:06 vuln.today
Public exploit code
EUVD ID Assigned
Mar 23, 2026 - 21:30 euvd
EUVD-2025-208954
Analysis Generated
Mar 23, 2026 - 21:30 vuln.today
CVE Published
Mar 23, 2026 - 21:00 nvd
CRITICAL 9.3

DescriptionNVD

Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8.1.0 alpha.

AnalysisAI

Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.

Technical ContextAI

Census CSWeb is a web-based data dissemination system for census and survey data. The vulnerability affects CSWeb version 8.0.1 (CPE: cpe:2.3:a:census:csweb:*:*:*:*:*:*:*:*) and stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is improper access control on the app/config directory structure, which allows HTTP requests to reach configuration files that should be restricted. In certain deployment configurations, these configuration endpoints are exposed to the network without requiring authentication, enabling unauthorized access to potentially sensitive application settings, database credentials, API keys, and other secrets stored in configuration files.

RemediationAI

Immediately upgrade Census CSWeb to version 8.1.0 alpha or later, which addresses this vulnerability as documented in the GitHub commit at https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91. Until patching is complete, implement immediate compensating controls including configuring web server or reverse proxy rules to explicitly deny access to the app/config path for all external requests, restricting CSWeb access to trusted IP ranges only via firewall rules, and ensuring the application is not directly exposed to the internet. Review application configuration files for any exposed secrets and rotate all credentials, API keys, and tokens that may have been accessible through this vulnerability. Consult the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json for additional guidance and consider implementing network segmentation to isolate CSWeb instances from untrusted networks.

Share

CVE-2025-60949 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy