CVE-2025-4018: Novel-Plus Auth Bypass Vulnerability

CVE-2025-4018 Overview

A critical missing authentication vulnerability has been identified in Novel-Plus, an open-source novel reading and crawling platform. This vulnerability affects the addCrawlSource function within the file novel-crawl/src/main/java/com/java2nb/novel/controller/CrawlController.java. The flaw allows unauthenticated remote attackers to manipulate crawl source configurations, potentially leading to unauthorized data access or system compromise.

Critical Impact

Remote attackers can exploit this missing authentication vulnerability to add arbitrary crawl sources without any authentication, potentially allowing unauthorized content injection or manipulation of the novel crawling system.

Affected Products

• xxyopen Novel-Plus (versions up to commit 0e156c04b4b7ce0563bef6c97af4476fcda8f160)

Discovery Timeline

• 2025-04-28 - CVE-2025-4018 published to NVD
• 2025-10-10 - Last updated in NVD database

Technical Details for CVE-2025-4018

Vulnerability Analysis

This vulnerability is classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). The addCrawlSource function in the CrawlController lacks proper authentication checks, allowing any remote user to invoke this endpoint without providing valid credentials. This represents a fundamental security oversight in the application's access control mechanism.

The vulnerability exists in the novel crawling component of the application, which is responsible for managing external content sources. Without authentication enforcement, attackers can freely add, modify, or potentially abuse the crawl source functionality to introduce malicious content or redirect crawling operations to attacker-controlled servers.

Root Cause

The root cause of this vulnerability is the absence of authentication middleware or security annotations on the addCrawlSource endpoint in the CrawlController.java file. Java-based web frameworks like Spring typically require explicit security configurations or annotations (such as @PreAuthorize or @Secured) to enforce authentication on controller methods. The developers failed to implement these protective measures on this critical administrative function.

Attack Vector

The attack can be initiated remotely over the network without requiring any user interaction or prior authentication. An attacker simply needs network access to the Novel-Plus application to exploit this vulnerability. By sending crafted HTTP requests to the vulnerable endpoint, attackers can add arbitrary crawl sources to the system. This could enable various attack scenarios including:

• Adding malicious crawl sources that inject harmful content into the novel database
• Redirecting the crawler to attacker-controlled servers for reconnaissance or phishing
• Potential Server-Side Request Forgery (SSRF) if the crawl functionality makes outbound requests to user-specified URLs
• Resource exhaustion by adding numerous crawl sources to overload the system

The vulnerability can be exploited by sending unauthenticated HTTP requests to the addCrawlSource endpoint in the CrawlController. Without proper authentication checks, the server processes these requests and adds the specified crawl source to the system configuration. For detailed technical analysis, refer to the VulDB entry #306371 and the CNBlogs technical writeup.

Detection Methods for CVE-2025-4018

Indicators of Compromise

• Unexpected crawl source entries in the Novel-Plus database or configuration
• HTTP requests to /crawl/addCrawlSource or similar endpoints from unauthenticated sessions
• Unusual outbound connections from the application server to unknown external hosts
• Logs showing crawl source additions without corresponding authenticated user sessions

Detection Strategies

• Monitor web application logs for requests to the CrawlController endpoints without valid session tokens
• Implement web application firewall (WAF) rules to detect and block unauthenticated requests to administrative endpoints
• Review application access logs for patterns indicating automated exploitation attempts
• Set up alerts for any modifications to crawl source configurations outside normal administrative workflows

Monitoring Recommendations

• Enable detailed logging for all controller endpoints in the Novel-Plus application
• Configure log aggregation to centralize and analyze web server access logs
• Implement real-time alerting for authentication bypass attempts on critical administrative functions
• Regularly audit crawl source configurations for unauthorized or suspicious entries

How to Mitigate CVE-2025-4018

Immediate Actions Required

• Restrict network access to the Novel-Plus application to trusted IP addresses only
• Implement a reverse proxy with authentication requirements in front of the application
• Disable or remove the crawl functionality if not actively required
• Audit existing crawl source entries for any unauthorized additions

Patch Information

The vendor (xxyopen) was contacted about this vulnerability but did not respond. As of the last update on 2025-10-10, no official patch has been released. Organizations using Novel-Plus should consider implementing manual patches or transitioning to alternative solutions with active security support.

For community patches or updates, monitor the VulDB entry and the project's GitHub repository for any security-related commits.

Workarounds

• Add authentication annotations (e.g., @PreAuthorize("hasRole('ADMIN')")) to the addCrawlSource method in CrawlController.java
• Implement a security filter or interceptor to enforce authentication on all crawl-related endpoints
• Deploy the application behind an authentication proxy that requires valid credentials before forwarding requests
• Use network segmentation to isolate the Novel-Plus instance from untrusted networks

# Example: Add IP-based access restriction using iptables
# Restrict access to Novel-Plus port (e.g., 8080) to trusted admin IPs only
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP