CVE-2025-14317 (GCVE-0-2025-14317)
Vulnerability from cvelistv5 – Published: 2026-01-14 13:28 – Updated: 2026-01-14 13:57
VLAI
EPSS
VEX
Title
User Enumeration in Crazy Bubble Tea mobile application
Summary
In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data.
This issue was fixed in version 915 (Android) and 7.4.1 (iOS).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://crazybubble.pl/aplikacja-crazy-bubble/ | product |
| https://cert.pl/posts/2026/01/CVE-2025-14317 | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Emaintenance | Crazy Bubble Tea |
Affected:
0 , < 915
(custom)
|
|
| Emaintenance | Crazy Bubble Tea |
Affected:
0 , < 7.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T13:56:54.473704Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T13:57:08.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Crazy Bubble Tea",
"vendor": "Emaintenance",
"versions": [
{
"lessThan": "915",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Crazy Bubble Tea",
"vendor": "Emaintenance",
"versions": [
{
"lessThan": "7.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobiasz \u201ePalidon\u201d Kostrzewa"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Crazy Bubble Tea \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emobile application\u003c/span\u003e authenticated attacker can\u0026nbsp;obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server\u0026nbsp;does not verify the permissions required to obtain the data.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue was fixed in version\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e915 (Android) and 7.4.1 (iOS).\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "In Crazy Bubble Tea mobile application authenticated attacker can\u00a0obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server\u00a0does not verify the permissions required to obtain the data.\n\n\nThis issue was fixed in version\u00a0915 (Android) and 7.4.1 (iOS)."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T13:28:02.872Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"product"
],
"url": "https://crazybubble.pl/aplikacja-crazy-bubble/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/01/CVE-2025-14317"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "User Enumeration in Crazy Bubble Tea mobile application",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-14317",
"datePublished": "2026-01-14T13:28:02.872Z",
"dateReserved": "2025-12-09T10:11:51.748Z",
"dateUpdated": "2026-01-14T13:57:08.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-14317",
"date": "2026-07-09",
"epss": "0.00249",
"percentile": "0.16121"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-14317\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2026-01-14T14:16:11.543\",\"lastModified\":\"2026-06-17T08:35:43.480\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Crazy Bubble Tea mobile application authenticated attacker can\u00a0obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server\u00a0does not verify the permissions required to obtain the data.\\n\\n\\nThis issue was fixed in version\u00a0915 (Android) and 7.4.1 (iOS).\"},{\"lang\":\"es\",\"value\":\"En la aplicaci\u00f3n m\u00f3vil Crazy Bubble Tea, un atacante autenticado puede obtener informaci\u00f3n personal sobre otros usuarios al enumerar un par\u00e1metro \u0027loyaltyGuestId\u0027. El servidor no verifica los permisos necesarios para obtener los datos.\\n\\nEste problema se solucion\u00f3 en la versi\u00f3n 915 (Android) y 7.4.1 (iOS).\"}],\"affected\":[{\"source\":\"cvd@cert.pl\",\"affectedData\":[{\"vendor\":\"Emaintenance\",\"product\":\"Crazy Bubble Tea\",\"defaultStatus\":\"unaffected\",\"platforms\":[\"Android\"],\"versions\":[{\"version\":\"0\",\"lessThan\":\"915\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Emaintenance\",\"product\":\"Crazy Bubble Tea\",\"defaultStatus\":\"unaffected\",\"platforms\":[\"iOS\"],\"versions\":[{\"version\":\"0\",\"lessThan\":\"7.4.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-14T13:56:54.473704Z\",\"id\":\"CVE-2025-14317\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-359\"}]}],\"references\":[{\"url\":\"https://cert.pl/posts/2026/01/CVE-2025-14317\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://crazybubble.pl/aplikacja-crazy-bubble/\",\"source\":\"cvd@cert.pl\"}]}}",
"redhat_vex": {
"current_release_date": "2026-01-15T14:06:43+00:00",
"cve": "CVE-2025-14317",
"id": "CVE-2025-14317",
"initial_release_date": "2025-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "User Enumeration in Crazy Bubble Tea mobile application",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14317.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-14317\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-14T13:56:54.473704Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-14T13:57:04.650Z\"}}], \"cna\": {\"title\": \"User Enumeration in Crazy Bubble Tea mobile application\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tobiasz \\u201ePalidon\\u201d Kostrzewa\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Emaintenance\", \"product\": \"Crazy Bubble Tea\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"915\", \"versionType\": \"custom\"}], \"platforms\": [\"Android\"], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Emaintenance\", \"product\": \"Crazy Bubble Tea\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.4.1\", \"versionType\": \"semver\"}], \"platforms\": [\"iOS\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://crazybubble.pl/aplikacja-crazy-bubble/\", \"tags\": [\"product\"]}, {\"url\": \"https://cert.pl/posts/2026/01/CVE-2025-14317\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Crazy Bubble Tea mobile application authenticated attacker can\\u00a0obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server\\u00a0does not verify the permissions required to obtain the data.\\n\\n\\nThis issue was fixed in version\\u00a0915 (Android) and 7.4.1 (iOS).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn Crazy Bubble Tea \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003emobile application\u003c/span\u003e authenticated attacker can\u0026nbsp;obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server\u0026nbsp;does not verify the permissions required to obtain the data.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue was fixed in version\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e915 (Android) and 7.4.1 (iOS).\u003c/span\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-359\", \"description\": \"CWE-359 Exposure of Private Personal Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2026-01-14T13:28:02.872Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-14317\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-14T13:57:08.343Z\", \"dateReserved\": \"2025-12-09T10:11:51.748Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2026-01-14T13:28:02.872Z\", \"assignerShortName\": \"CERT-PL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…