Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-24369
CVE-2025-24369:
Linux openSUSE vulnerability analysis and mitigation
Overview
Anubis, a tool designed to protect against AI scrapers through bot-checking heuristics and proof-of-work challenges, was found to contain a security vulnerability (CVE-2025-24369) that was disclosed on January 26, 2025. The vulnerability allowed attackers to bypass bot protection by requesting a challenge, formulating any nonce (such as 42069), and then passing the challenge with difficulty zero (GitHub Advisory, NVD).
Technical details
The vulnerability stems from a design flaw where the server relied on client-specified difficulty values when making allow/deny decisions. The issue was classified as CWE-807: Reliance on Untrusted Inputs in a Security Decision. The vulnerability received a CVSS v4.0 score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating network accessibility with high attack complexity (GitHub Advisory).
Impact
The vulnerability allowed sophisticated attackers or scraper runners targeting websites using Anubis to bypass the bot protection mechanisms. However, the impact was considered low as it required a targeted attack, and according to the developer, the only known instances of exploitation were during proof of concept testing by the reporter and the developer's own testing (Xe Blog).
Mitigation and workarounds
The vulnerability was fixed in version v1.11.0-37-gd98d70a through commit e09d0226a628f04b1d80fd83bee777894a45cd02, which modified the system to use administrator-configured difficulty values instead of client-specified ones. Users are advised to pull the most recent Docker image to ensure they have the patched version. No workarounds are available, and users must upgrade to fix the issue (GitHub Advisory).
Community reactions
The vulnerability was responsibly disclosed by security researcher Coral Pink, and the developer (Xe Iaso) responded with transparency by publishing a detailed blog post explaining the vulnerability, its impact, and the fixes implemented. The developer also emphasized their commitment to handling security issues professionally and honestly (Xe Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management