CVE-2025-61789: 
Linux Debian vulnerability analysis and mitigation

Icinga DB Web, a graphical interface for Icinga monitoring, was found to contain a vulnerability (CVE-2025-61789) affecting versions before 1.1.4 and 1.2.3. The vulnerability was discovered and disclosed on October 16, 2025, allowing authorized users with access to Icinga DB Web to potentially expose sensitive information through custom variable filtering (GitHub Advisory).

The vulnerability is classified as CWE-204 (Observable Response Discrepancy), where the application provides different responses to incoming requests that could reveal internal state information to unauthorized actors. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network vector attack with high complexity, requiring low privileges, no user interaction, unchanged scope, and potential for high confidentiality impact (GitHub Advisory).

An authorized user with access to Icinga DB Web can exploit this vulnerability to guess values assigned to custom variables that are either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, potentially leading to unauthorized access to sensitive information (GitHub Advisory).

The vulnerability has been patched in versions 1.1.4 and 1.2.3, where the application now responds with an error if a protected or hidden custom variable is used in a filter. No alternative workarounds are available, making upgrading to a patched version the only mitigation strategy (GitHub Advisory).