CVE-2025-13829 Overview
CVE-2025-13829 is a high-severity Incorrect Authorization vulnerability (CWE-863) in Data Illusion Zumbrunn NGSurvey that allows any authenticated user to obtain private information belonging to other users. This broken access control flaw enables horizontal privilege escalation, where a low-privileged user can access sensitive data of any other user in the system without proper authorization checks.
The vulnerability exposes critical user information including API keys with 1-year session validity, refresh tokens with 10-minute session validity, bcrypt-hashed passwords, user IP addresses, email addresses, and full names. With a CVSS 4.0 score of 8.6 (HIGH), this vulnerability poses a significant risk to organizations using NGSurvey for their survey management needs.
Critical Impact
Any authenticated user can access sensitive information of all other users including long-lived API keys, password hashes, and personal identifiable information (PII), enabling account takeover and further attacks.
Affected Products
- Data Illusion Zumbrunn NGSurvey (versions prior to 3.6.17)
Discovery Timeline
- 2025-12-01 - CVE-2025-13829 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-13829
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the application fails to properly verify whether a user has the necessary permissions to access another user's data. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N).
The CVSS 4.0 vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N indicates high confidentiality and integrity impact on the vulnerable system, as attackers can both read sensitive data and potentially modify user information.
The Exploit Prediction Scoring System (EPSS) indicates a probability of 0.043% with a percentile of 13.114, suggesting relatively low likelihood of exploitation in the wild at this time, though the high severity score warrants immediate attention.
Root Cause
The root cause of this vulnerability lies in inadequate authorization checks within the NGSurvey application's user data access mechanisms. When an authenticated user requests information about another user, the application fails to verify that the requesting user has appropriate permissions to access that data. This represents a classic broken access control vulnerability where authentication (proving who you are) is implemented, but authorization (verifying what you can access) is missing or improperly enforced.
Attack Vector
The attack vector for CVE-2025-13829 is network-based, meaning an attacker can exploit this vulnerability remotely over the network. The exploitation flow involves:
- An attacker authenticates to the NGSurvey application with valid credentials (even as a low-privileged user)
- The attacker crafts requests to access user data endpoints, manipulating user identifiers or parameters
- Due to missing authorization checks, the application returns sensitive data for any requested user
- The attacker obtains critical information including API keys, refresh tokens, bcrypt password hashes, IP addresses, emails, and full names
The retrieved API keys with 1-year validity are particularly dangerous as they could enable persistent unauthorized access to victim accounts. Additionally, while bcrypt-hashed passwords provide some protection, they could still be subject to offline brute-force attacks, especially if weak passwords were used.
Detection Methods for CVE-2025-13829
Indicators of Compromise
- Unusual patterns of user data access requests from single accounts
- API requests attempting to enumerate or access user IDs not associated with the authenticated session
- Abnormal usage of API keys that don't match expected user behavior patterns
- Multiple failed or successful user data retrieval attempts across different user accounts from a single source
Detection Strategies
Organizations should implement comprehensive logging and monitoring for user data access within NGSurvey deployments. Security teams should analyze access logs for patterns indicating horizontal privilege escalation attempts, such as:
- Monitor for authenticated users accessing user profile endpoints with user IDs that do not belong to them
- Implement anomaly detection to identify accounts making excessive user data requests
- Review authentication logs for API key usage that doesn't match the key owner's typical behavior
- Deploy web application firewalls (WAF) with rules to detect enumeration attacks against user endpoints
SentinelOne Singularity Platform can provide endpoint-level visibility into suspicious application behavior and network communications that may indicate exploitation attempts.
Monitoring Recommendations
Organizations should enable detailed audit logging for all user data access operations in NGSurvey. Security teams should establish baseline patterns for normal user behavior and alert on deviations. Consider implementing rate limiting on user data endpoints to slow down potential enumeration attacks. Regular review of access logs should be conducted to identify any unauthorized data access that may have occurred.
How to Mitigate CVE-2025-13829
Immediate Actions Required
- Upgrade NGSurvey to version 3.6.17 or later immediately
- Audit user data access logs for signs of exploitation prior to patching
- Rotate all API keys and refresh tokens for all users after applying the patch
- Review bcrypt password hashes exposed; consider forcing password resets for all users
- Implement additional network-level access controls to limit NGSurvey access to trusted networks
Patch Information
Data Illusion has addressed this vulnerability in NGSurvey version 3.6.17, released on 2025-05-28. Organizations should upgrade to this version or later to remediate the vulnerability. The patch information and changelog are available at: https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28
Prior to upgrading, ensure you have a complete backup of your NGSurvey installation and database. Test the upgrade in a non-production environment first if possible.
Workarounds
If immediate patching is not possible, organizations should consider the following temporary mitigations:
Implement network-level access controls to restrict access to the NGSurvey application to only trusted IP ranges or VPN-connected users. Deploy a web application firewall (WAF) in front of the application with rules to detect and block suspicious user data access patterns. Consider temporarily disabling or restricting access to user profile and account information endpoints if operationally feasible.
Additionally, implement strict monitoring on user data access endpoints and establish alerting for any suspicious access patterns. However, these workarounds should only be considered temporary measures until the official patch can be applied, as they do not fully address the underlying authorization flaw.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
