Chall Manager
Monthly
CVE-2025-53634 is a Denial of Service (DoS) vulnerability in Chall-Manager's HTTP Gateway that lacks request timeout mechanisms, allowing unauthenticated attackers to execute Slow Loris attacks and exhaust server resources. The vulnerability affects Chall-Manager versions prior to v0.1.4 and has a CVSS score of 7.5 (High) with zero authentication requirements. While the vulnerability itself is not marked as actively exploited in public KEV databases, the patch is already available, and the architectural recommendation to isolate Chall-Manager deep within infrastructure significantly reduces real-world exposure.
Chall-Manager versions prior to v0.1.4 contain an unchecked decompression vulnerability (CWE-405) that allows unauthenticated attackers to trigger zip bomb attacks by uploading malicious scenario archives. This denial-of-service vulnerability has a CVSS 9.8 severity score due to complete system compromise potential (confidentiality, integrity, availability impact) combined with network-accessible attack surface. The vulnerability is mitigated in practice by deployment recommendations suggesting Chall-Manager be isolated within infrastructure, but network-adjacent attackers with access to the system can completely compromise it without authentication or user interaction.
CVE-2025-53632 is a path traversal vulnerability (zip slip) in Chall-Manager v0.1.3 and earlier that allows unauthenticated attackers to write arbitrary files to the system when processing scenario zip archives. The vulnerability has a CVSS 9.1 severity score due to high integrity and availability impact, though real-world exploitation risk is partially mitigated by deployment recommendations to isolate Chall-Manager within internal infrastructure. A patch is available in v0.1.4 via commit 47d188f.
CVE-2025-53634 is a Denial of Service (DoS) vulnerability in Chall-Manager's HTTP Gateway that lacks request timeout mechanisms, allowing unauthenticated attackers to execute Slow Loris attacks and exhaust server resources. The vulnerability affects Chall-Manager versions prior to v0.1.4 and has a CVSS score of 7.5 (High) with zero authentication requirements. While the vulnerability itself is not marked as actively exploited in public KEV databases, the patch is already available, and the architectural recommendation to isolate Chall-Manager deep within infrastructure significantly reduces real-world exposure.
Chall-Manager versions prior to v0.1.4 contain an unchecked decompression vulnerability (CWE-405) that allows unauthenticated attackers to trigger zip bomb attacks by uploading malicious scenario archives. This denial-of-service vulnerability has a CVSS 9.8 severity score due to complete system compromise potential (confidentiality, integrity, availability impact) combined with network-accessible attack surface. The vulnerability is mitigated in practice by deployment recommendations suggesting Chall-Manager be isolated within infrastructure, but network-adjacent attackers with access to the system can completely compromise it without authentication or user interaction.
CVE-2025-53632 is a path traversal vulnerability (zip slip) in Chall-Manager v0.1.3 and earlier that allows unauthenticated attackers to write arbitrary files to the system when processing scenario zip archives. The vulnerability has a CVSS 9.1 severity score due to high integrity and availability impact, though real-world exploitation risk is partially mitigated by deployment recommendations to isolate Chall-Manager within internal infrastructure. A patch is available in v0.1.4 via commit 47d188f.