CVE-2025-23044 Overview
CVE-2025-23044 is a Cross-Site Request Forgery (CSRF) vulnerability affecting PwnDoc, a popular penetration test report generator used by security professionals. The vulnerability exists due to the absence of CSRF protection mechanisms in the application, specifically the missing SameSite attribute on authentication cookies. This allows attackers to craft malicious requests that execute actions on behalf of authenticated users without their knowledge or consent.
Critical Impact
Attackers can execute unauthorized GET and POST requests on behalf of authenticated PwnDoc users, potentially leading to data exfiltration, unauthorized modifications to penetration test reports, and compromise of sensitive security documentation.
Affected Products
- PwnDoc (all versions prior to commit 14acb704891245bf1703ce6296d62112e85aa995)
- pwndoc_project pwndoc
Discovery Timeline
- 2025-01-20 - CVE-2025-23044 published to NVD
- 2025-05-07 - Last updated in NVD database
Technical Details for CVE-2025-23044
Vulnerability Analysis
This CSRF vulnerability stems from a fundamental security misconfiguration in how PwnDoc handles authentication cookies. The application sets token and refreshToken cookies without the SameSite attribute, which is essential for preventing cross-origin request attacks in modern web applications. Without this protection, browsers will automatically include these authentication cookies when making requests to PwnDoc from any origin, including malicious third-party websites.
The vulnerability is particularly concerning because it affects both GET and POST requests, meaning attackers can potentially read sensitive data and modify application state. Additionally, the ability to refresh cookies extends the attack window, allowing persistent exploitation even after initial tokens would normally expire.
Root Cause
The root cause lies in the cookie configuration within the backend/src/routes/user.js file. When setting authentication cookies (token and refreshToken), the application only specifies secure: true and httpOnly: true attributes but omits the critical sameSite attribute. The SameSite cookie attribute controls whether cookies are sent with cross-site requests, and its absence defaults to SameSite=Lax in modern browsers, which still allows some cross-site request scenarios to succeed with cookie inclusion.
Attack Vector
The attack can be executed remotely over the network and requires user interaction. An attacker would need to trick an authenticated PwnDoc user into visiting a malicious webpage or clicking a crafted link. The malicious page would contain hidden forms or JavaScript that automatically submit requests to the PwnDoc application. Since the victim's browser automatically includes authentication cookies with these requests, the PwnDoc server processes them as legitimate authenticated requests.
Attack scenarios include:
- Creating or modifying penetration test reports
- Exporting sensitive vulnerability data
- Changing user account settings
- Adding malicious content to existing reports
The following patch shows how the vulnerability was addressed by adding sameSite: 'strict' to both authentication cookies:
User.updateRefreshToken(token, userAgent)
.then(msg => {
- res.cookie('token', `JWT ${msg.token}`, {secure: true, httpOnly: true})
- res.cookie('refreshToken', msg.refreshToken, {secure: true, httpOnly: true, path: '/api/users/refreshtoken'})
+ res.cookie('token', `JWT ${msg.token}`, {sameSite: 'strict', secure: true, httpOnly: true})
+ res.cookie('refreshToken', msg.refreshToken, {sameSite: 'strict', secure: true, httpOnly: true, path: '/api/users/refreshtoken'})
Response.Ok(res, msg)
})
.catch(err => {
Source: GitHub Commit Changes
Detection Methods for CVE-2025-23044
Indicators of Compromise
- Unexpected modifications to penetration test reports or templates
- User account changes that the legitimate user did not initiate
- Audit logs showing API requests from unusual referrer origins
- Session activity from geographic locations inconsistent with normal user behavior
Detection Strategies
- Monitor HTTP request headers for cross-origin requests to sensitive PwnDoc endpoints, particularly checking Origin and Referer headers for suspicious external domains
- Implement web application firewall (WAF) rules to detect and block requests with suspicious referrer patterns
- Review server access logs for patterns of authenticated requests originating from external referrer URLs
- Configure SIEM alerts for bulk or automated API interactions that deviate from normal user behavior patterns
Monitoring Recommendations
- Enable detailed logging for all state-changing API endpoints in PwnDoc
- Set up alerts for authentication cookie usage from non-standard origins
- Monitor for rapid sequential requests that could indicate automated CSRF exploitation
- Track changes to sensitive resources like reports and user accounts with before/after comparisons
How to Mitigate CVE-2025-23044
Immediate Actions Required
- Update PwnDoc to include commit 14acb704891245bf1703ce6296d62112e85aa995 or later
- Review audit logs for any unauthorized changes made prior to patching
- Invalidate all active sessions to force re-authentication with properly configured cookies
- Inform users about the vulnerability and advise them to review their recent activity
Patch Information
The vulnerability has been patched in commit 14acb704891245bf1703ce6296d62112e85aa995. The fix adds the sameSite: 'strict' attribute to both the token and refreshToken cookies, preventing browsers from sending these cookies with cross-site requests. For detailed patch information, refer to the GitHub Commit Changes and the GitHub Security Advisory GHSA-9v2v-jxvw-52rq.
Workarounds
- Deploy a reverse proxy or WAF that validates Origin and Referer headers on all state-changing requests
- Restrict network access to PwnDoc to trusted internal networks only until the patch can be applied
- Implement additional CSRF tokens at the application or proxy layer as a defense-in-depth measure
- Educate users to avoid clicking links or visiting untrusted websites while logged into PwnDoc
# Example nginx configuration to add basic CSRF protection at the proxy level
# Add to your PwnDoc nginx server block
location /api/ {
# Block requests with external referrers to state-changing endpoints
if ($http_referer !~* "^https://your-pwndoc-domain\.com") {
return 403;
}
proxy_pass http://pwndoc-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
