{"vulnerability": "cve-2025-46728", "sightings": [{"uuid": "20671da2-82ff-42ca-8766-26ccda3b2e40", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "seen", "source": "https://t.me/NinjaSec/298", "content": "Certainly! Below is a curated list of critical CVEs from 2025 that involve code execution, browser bypasses, and internal service exposure. These are provided strictly for educational purposes to aid in understanding and mitigating such vulnerabilities.\n\n\n\ud83d\udd10 Critical CVEs from 2025 (Educational Use Only)\n\n1. CVE-2025-47241\n\nDescription: Whitelist bypass in the Browser Use automation tool allows attackers to access internal services via crafted URLs.\n\nCVSS Score: 9.3\n\nReference: \n\n\n\n2. CVE-2025-25014\n\nDescription: Prototype pollution in Kibana leads to arbitrary code execution through crafted HTTP requests to machine learning and reporting endpoints.\n\nCVSS Score: 9.1\n\nReference: \n\n\n\n3. CVE-2025-29927\n\nDescription: Authorization bypass in Next.js middleware allows attackers to access protected routes by manipulating internal headers.\n\nCVSS Score: 9.1\n\nReference: \n\n\n\n4. CVE-2025-24813\n\nDescription: \n\nCVSS Score: \n\nReference: \n\n\n\n5. CVE-2025-2783\n\nDescription: \n\nCVSS Score: High\n\nReference: \n\n\n\n6. CVE-2025-2636\n\nDescription: \n\nCVSS Score: High\n\nReference: \n\n\n\n7. CVE-2025-2505\n\nDescription: \n\nCVSS Score: High\n\nReference: \n\n\n\n8. CVE-2025-2746 & CVE-2025-2747\n\nDescription: \n\nCVSS Score: \n\nReference: \n\n\n\n9. CVE-2025-3066\n\nDescription: \n\nCVSS Score: High\n\nReference: \n\n\n\n10. CVE-2025-46728\n\nDescription: Denial of Service vulnerability in cpp-httplib, potentially exposing servers to service disruptions.\n\nCVSS Score: High\n\nReference: \n\n#HackersFactory", "creation_timestamp": "2025-05-19T12:58:14.000000Z"}, {"uuid": "b8e43c69-2e2b-4bf1-8d78-f60c46f75ec0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "seen", "source": "https://t.me/NinjaSec/299", "content": "Code execution, and bypass vulnerabilities \u2014 for educational purposes only:\n\n\n1. CVE-2025-47241 \u2013 Whitelist bypass in Browser Use tool (CVSS 9.3)\n2. CVE-2025-25014 \u2013 Prototype pollution in Kibana (CVSS 9.1)\n3. CVE-2025-29927 \u2013 Next.js middleware authorization bypass (CVSS 9.1)\n4. CVE-2025-24813 \u2013 Apache Tomcat path traversal RCE (Critical)\n5. CVE-2025-2783 \u2013 Chrome Mojo use-after-free (High)\n6. CVE-2025-2636 \u2013 WordPress InstaWP plugin LFI (High)\n7. CVE-2025-2505 \u2013 WordPress Age Gate plugin LFI (High)\n8. CVE-2025-2746 \u2013 Kentico CMS auth bypass (CVSS 9.8)\n9. CVE-2025-2747 \u2013 Kentico CMS staging sync auth bypass (CVSS 9.8)\n10. CVE-2025-3066 \u2013 Chrome Site Isolation use-after-free (High)\n11. CVE-2025-46728 \u2013 cpp-httplib DoS vulnerability\n12. CVE-2025-12345 \u2013 Buffer overflow in XYZ app (CVSS 9.0)\n13. CVE-2025-12346 \u2013 SQL injection in ABC web app (CVSS 8.5)\n14. CVE-2025-12347 \u2013 XSS in DEF platform (CVSS 7.8)\n15. CVE-2025-12348 \u2013 Auth bypass in GHI system (CVSS 9.2)\n16. CVE-2025-12349 \u2013 RCE in JKL service via crafted packets (CVSS 9.5)\n17. CVE-2025-12350 \u2013 Privilege escalation in MNO app (CVSS 8.7)\n18. CVE-2025-12351 \u2013 Info disclosure in PQR system (CVSS 7.5)\n19. CVE-2025-12352 \u2013 DoS in STU server (CVSS 6.8)\n20. CVE-2025-12353 \u2013 Directory traversal in VWX app (CVSS 8.0)\n21. CVE-2025-12354 \u2013 Command injection in YZA tool (CVSS 9.1)\n22. CVE-2025-12355 \u2013 Insecure deserialization in BCD lib (CVSS 9.3)\n23. CVE-2025-12356 \u2013 CSRF in EFG portal (CVSS 7.2)\n24. CVE-2025-12357 \u2013 Memory corruption in HIJ driver (CVSS 8.9)\n25. CVE-2025-12358 \u2013 Improper auth in KLM API (CVSS 9.0)\n\n#HackersFactory", "creation_timestamp": "2025-05-07T15:48:27.000000Z"}, {"uuid": "668a74d8-d903-4b30-ad84-42a1cd7d1507", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "seen", "source": "https://t.me/cvedetector/24527", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-46728 - cpp-httplib Chunked Request Body Overflow\", \n  \"Content\": \"CVE ID : CVE-2025-46728 \nPublished : May 6, 2025, 1:15 a.m. | 26\u00a0minutes ago \nDescription : cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"06 May 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-05-06T04:26:11.000000Z"}, {"uuid": "0451cae5-259b-4703-9c04-b3edcf745092", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lohzk2opsq2e", "content": "", "creation_timestamp": "2025-05-06T04:16:06.640179Z"}, {"uuid": "27f16665-aa77-44d9-9151-ee80ae0f2d01", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/15020", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-46728\n\ud83d\udd25 CVSS Score: 7.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\ud83d\udd39 Description: cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.\n\ud83d\udccf Published: 2025-05-06T00:45:25.130Z\n\ud83d\udccf Modified: 2025-05-06T00:45:25.130Z\n\ud83d\udd17 References:\n1. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c\n2. https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e", "creation_timestamp": "2025-05-06T01:20:33.000000Z"}, {"uuid": "592e5c3c-a9e7-4f3a-bd73-ff8c1966f048", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "seen", "source": "Telegram/6XDP4M1wkfL7m7vq90Tisvnt9Hir_tEqb2ho5KerLaKNi_8", "content": "", "creation_timestamp": "2025-05-06T04:01:13.000000Z"}, {"uuid": "c2f67635-00f9-4dda-9c7b-54467a2acf76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46728", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3lolfp7i4sn2t", "content": "", "creation_timestamp": "2025-05-07T12:31:43.441817Z"}]}