CVE-2025-62614

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-62614

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62614.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-62614

Aliases

GHSA-363g-fhcq-hvqp

Published

2025-10-22T20:58:45Z

Modified

2025-10-24T04:21:53.055Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

BookLore Media API Authentication Bypass

Details

BookLore is a self-hosted web app for organizing and managing personal book collections. In versions 1.8.1 and prior, an authentication bypass vulnerability in the BookMediaController allows any unauthenticated user to access and download book covers, thumbnails, and complete PDF/CBX page content without authorization. The vulnerability exists because multiple media endpoints lack proper access control annotations, and the CoverJwtFilter continues request processing even when no authentication token is provided. This enables attackers to enumerate and exfiltrate all book content from the system, bypassing the intended download permissions (canDownload) entirely. This issue has been patched via commit b226c43.

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ]
}

References

Affected packages

Git / github.com/booklore-app/booklore

Affected ranges

Type: GIT
Repo: https://github.com/booklore-app/booklore
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b226c43343cd0cef4c1cd54bc3dcdef90b147133

Affected versions

develop-v0.*

develop-v0.0.1

develop-v0.0.2

v0.*

v0.0.1

v0.0.10

v0.0.11

v0.0.12

v0.0.13

v0.0.14

v0.0.15

v0.0.16

v0.0.17

v0.0.18

v0.0.19

v0.0.2

v0.0.20

v0.0.21

v0.0.22

v0.0.23

v0.0.24

v0.0.25

v0.0.26

v0.0.27

v0.0.28

v0.0.29

v0.0.3

v0.0.30

v0.0.31

v0.0.32

v0.0.33

v0.0.34

v0.0.35

v0.0.36

v0.0.37

v0.0.38

v0.0.39

v0.0.4

v0.0.40

v0.0.41

v0.0.42

v0.0.43

v0.0.44

v0.0.45

v0.0.46

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v0.1.0

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.19.1

v0.19.2

v0.2.0

v0.2.1

v0.20.0

v0.21.0

v0.22.0

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.25.2

v0.26.0

v0.27.0

v0.28.0

v0.28.1

v0.28.2

v0.29.0

v0.3.0

v0.3.2

v0.30.0

v0.30.1

v0.30.2

v0.30.3

v0.31.0

v0.32.0

v0.32.1

v0.32.2

v0.32.3

v0.33.0

v0.34.0

v0.34.1

v0.35.0

v0.35.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.8.0

v0.9.0

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/booklore-app/booklore/commit/b226c43343cd0cef4c1cd54bc3dcdef90b147133",
        "target": {
            "function": "doFilterInternal",
            "file": "booklore-api/src/main/java/com/adityachandel/booklore/config/security/filter/CoverJwtFilter.java"
        },
        "id": "CVE-2025-62614-135ae58e",
        "deprecated": false,
        "digest": {
            "function_hash": "247014683966615799230476310496837435227",
            "length": 593.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/booklore-app/booklore/commit/b226c43343cd0cef4c1cd54bc3dcdef90b147133",
        "target": {
            "file": "booklore-api/src/main/java/com/adityachandel/booklore/config/security/filter/CoverJwtFilter.java"
        },
        "id": "CVE-2025-62614-a6fcaf51",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "308712009955556245319451795942996202671",
                "293945028700083966891633763532162888584",
                "283175693904557797874811612394778544383",
                "190516363052617188507645912801546351691",
                "180077351726456782632974936120776919908",
                "170247092655769005034244373384102692923",
                "243422166546959961920968671013834169710",
                "161798059642940810285167929022593332814",
                "231004117844823759448100329978939589153",
                "131030839446354484987885982171152391916",
                "323555488896165727104631525709904339259",
                "229269851350666220395060156997421496139",
                "50513839367950466084028252171523712183",
                "77162610904969707087123083535946244185",
                "104588750347958795577240841281421182809",
                "285878008668992602653619402724056467913",
                "285398537041968335105979485917518360025",
                "133278563860089464346642577495982459772"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/booklore-app/booklore/commit/b226c43343cd0cef4c1cd54bc3dcdef90b147133",
        "target": {
            "file": "booklore-api/src/main/java/com/adityachandel/booklore/controller/BookMediaController.java"
        },
        "id": "CVE-2025-62614-afdc591f",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "15889217961391762598035855602017667553",
                "73618268565092163366626678497766340216",
                "98708952066153954556598919580600755944",
                "238646965042332436067512385657943681010",
                "21695233414559620462590805905902847524"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    }
]