{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-52572", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-18T03:55:52.036Z", "datePublished": "2025-06-24T20:10:18.861Z", "dateUpdated": "2025-06-24T20:46:47.020Z"}, "containers": {"cna": {"title": "Hikka vulnerable to RCE through dangling web interface", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj"}, {"name": "https://t.me/bbcode/9", "tags": ["x_refsource_MISC"], "url": "https://t.me/bbcode/9"}], "affected": [{"vendor": "hikariatama", "product": "Hikka", "versions": [{"version": "<= 1.7.0-wip", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-24T20:10:18.861Z"}, "descriptions": [{"lang": "en", "value": "Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click \"Allow\" in the \"Allow web application ops\" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click \"Allow\" in your helper bot unless it is your explicit action that needs to be allowed."}], "source": {"advisory": "GHSA-7x3c-335v-wxjj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T20:45:53.730456Z", "id": "CVE-2025-52572", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T20:46:47.020Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52572", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-24T20:45:53.730456Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T20:46:05.359Z"}}], "cna": {"title": "Hikka vulnerable to RCE through dangling web interface", "source": {"advisory": "GHSA-7x3c-335v-wxjj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "hikariatama", "product": "Hikka", "versions": [{"status": "affected", "version": "<= 1.7.0-wip"}]}], "references": [{"url": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj", "name": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://t.me/bbcode/9", "name": "https://t.me/bbcode/9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click \"Allow\" in the \"Allow web application ops\" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click \"Allow\" in your helper bot unless it is your explicit action that needs to be allowed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-24T20:10:18.861Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52572", "state": "PUBLISHED", "dateUpdated": "2025-06-24T20:46:47.020Z", "dateReserved": "2025-06-18T03:55:52.036Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-24T20:10:18.861Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click \"Allow\" in the \"Allow web application ops\" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click \"Allow\" in your helper bot unless it is your explicit action that needs to be allowed."}, {"lang": "es", "value": "Hikka, un bot de usuario de Telegram, presenta una vulnerabilidad que afecta a todos los usuarios en todas las versiones de Hikka. Existen dos escenarios posibles: 1. La interfaz web no tiene una sesi\u00f3n autenticada: el atacante puede usar su propia cuenta de Telegram para acceder al servidor mediante la autorizaci\u00f3n en la interfaz web inactiva. 2. La interfaz web s\u00ed tiene una sesi\u00f3n autenticada: debido a una advertencia insuficiente en el mensaje de autenticaci\u00f3n, los usuarios se vieron tentados a hacer clic en \"Permitir\" en el men\u00fa \"Permitir operaciones de aplicaciones web\". Esto permiti\u00f3 al atacante acceder no solo a la ejecuci\u00f3n remota de c\u00f3digo, sino tambi\u00e9n a las cuentas de Telegram de los propietarios. Se sabe que el escenario n\u00famero 2 ha sido explotado in situ. No existen parches conocidos, pero existen algunas soluciones alternativas. Use el indicador `--no-web` y no inicie el bot de usuario sin \u00e9l; despu\u00e9s de autorizar en la interfaz web, cierre el puerto en el servidor o inicie el bot de usuario con el indicador `--no-web`; y no haga clic en \"Permitir\" en su bot auxiliar a menos que sea su acci\u00f3n expl\u00edcita la que deba permitirse."}], "id": "CVE-2025-52572", "lastModified": "2025-06-26T18:58:14.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-24T21:15:25.463", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj"}, {"source": "security-advisories@github.com", "url": "https://t.me/bbcode/9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}