CVE-2025-52572 (GCVE-0-2025-52572)
Vulnerability from cvelistv5
Published
2025-06-24 20:10
Modified
2025-06-24 20:46
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-287 - Improper Authentication
Summary
Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
References
security-advisories@github.comhttps://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj
security-advisories@github.comhttps://t.me/bbcode/9
Impacted products
Vendor Product Version
hikariatama Hikka Version: <= 1.7.0-wip
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52572",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-24T20:45:53.730456Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-24T20:46:47.020Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Hikka",
          "vendor": "hikariatama",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.7.0-wip"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click \"Allow\" in the \"Allow web application ops\" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click \"Allow\" in your helper bot unless it is your explicit action that needs to be allowed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-24T20:10:18.861Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj"
        },
        {
          "name": "https://t.me/bbcode/9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://t.me/bbcode/9"
        }
      ],
      "source": {
        "advisory": "GHSA-7x3c-335v-wxjj",
        "discovery": "UNKNOWN"
      },
      "title": "Hikka vulnerable to RCE through dangling web interface"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52572",
    "datePublished": "2025-06-24T20:10:18.861Z",
    "dateReserved": "2025-06-18T03:55:52.036Z",
    "dateUpdated": "2025-06-24T20:46:47.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-52572\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-24T21:15:25.463\",\"lastModified\":\"2025-06-26T18:58:14.280\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click \\\"Allow\\\" in the \\\"Allow web application ops\\\" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click \\\"Allow\\\" in your helper bot unless it is your explicit action that needs to be allowed.\"},{\"lang\":\"es\",\"value\":\"Hikka, un bot de usuario de Telegram, presenta una vulnerabilidad que afecta a todos los usuarios en todas las versiones de Hikka. Existen dos escenarios posibles: 1. La interfaz web no tiene una sesi\u00f3n autenticada: el atacante puede usar su propia cuenta de Telegram para acceder al servidor mediante la autorizaci\u00f3n en la interfaz web inactiva. 2. La interfaz web s\u00ed tiene una sesi\u00f3n autenticada: debido a una advertencia insuficiente en el mensaje de autenticaci\u00f3n, los usuarios se vieron tentados a hacer clic en \\\"Permitir\\\" en el men\u00fa \\\"Permitir operaciones de aplicaciones web\\\". Esto permiti\u00f3 al atacante acceder no solo a la ejecuci\u00f3n remota de c\u00f3digo, sino tambi\u00e9n a las cuentas de Telegram de los propietarios. Se sabe que el escenario n\u00famero 2 ha sido explotado in situ. No existen parches conocidos, pero existen algunas soluciones alternativas. Use el indicador `--no-web` y no inicie el bot de usuario sin \u00e9l; despu\u00e9s de autorizar en la interfaz web, cierre el puerto en el servidor o inicie el bot de usuario con el indicador `--no-web`; y no haga clic en \\\"Permitir\\\" en su bot auxiliar a menos que sea su acci\u00f3n expl\u00edcita la que deba permitirse.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://t.me/bbcode/9\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-52572\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-24T20:45:53.730456Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-24T20:46:05.359Z\"}}], \"cna\": {\"title\": \"Hikka vulnerable to RCE through dangling web interface\", \"source\": {\"advisory\": \"GHSA-7x3c-335v-wxjj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"hikariatama\", \"product\": \"Hikka\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.7.0-wip\"}]}], \"references\": [{\"url\": \"https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj\", \"name\": \"https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://t.me/bbcode/9\", \"name\": \"https://t.me/bbcode/9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click \\\"Allow\\\" in the \\\"Allow web application ops\\\" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click \\\"Allow\\\" in your helper bot unless it is your explicit action that needs to be allowed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-24T20:10:18.861Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-52572\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-24T20:46:47.020Z\", \"dateReserved\": \"2025-06-18T03:55:52.036Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-24T20:10:18.861Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.