Full Report
Exposure of Private Personal Information (CVE-2025-14317) has been identified in Crazy Bubble Tea mobile application.
Analysis Summary
# Vulnerability: Exposure of Private Personal Information in Crazy Bubble Tea
## CVE Details
- CVE ID: CVE-2025-14317
- CVSS Score: Not explicitly provided, inferred as **Medium/High** based on PII exposure without specific score details.
- CWE: CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor)
## Affected Systems
- Products: Crazy Bubble Tea mobile application
- Versions: All versions prior to Android 915 and iOS 7.4.1
- Configurations: Authentication required to exploit, but resource access controls are flawed.
## Vulnerability Description
The vulnerability allows an authenticated attacker to retrieve personal information belonging to other users. This is achieved by enumerating the `loyaltyGuestId` parameter in requests to the server. The server fails to verify if the authenticated user possesses the necessary permissions (authorization check) to access the data requested via this parameter.
## Exploitation
- Status: Disclosure coordinated, status in the wild is **Unknown/Not specified**. (Implied PoC possible via enumeration)
- Complexity: **Medium** (Requires authentication)
- Attack Vector: **Network** (Likely via API calls)
## Impact
- Confidentiality: **High** (Exposure of Personally Identifiable Information belonging to other users)
- Integrity: **Low** (No mention of modification capability)
- Availability: **Low** (No mention of service disruption)
## Remediation
### Patches
- **Android:** Version 915 and later
- **iOS:** Version 7.4.1 and later
### Workarounds
- No specific vendor workarounds were provided in the source material. Limiting access to the affected API endpoints or implementing strict server-side authorization checks if patches are delayed could serve as temporary mitigation.
## Detection
- Indicators of compromise: Excessive or unusual requests querying user-specific IDs (`loyaltyGuestId`) originating from a single authenticated session or automated scripts.
- Detection methods and tools: Application monitoring systems capable of tracking abnormal parameter enumeration patterns against user data endpoints.
## References
- Vendor Advisory Coordinates via CERT Polska.
- [CERT Polska Report](https://cert.pl/en/publications/) (General publications index)
- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2025-14317) (Defanged links are omitted per instruction)