Flag Forge Capture The Flag Platform Hints Exposure Vulnerability

A broken access control vulnerability has been identified in Flag Forge, a Capture The Flag (CTF) platform, specifically in versions 2.1.0 prior to 2.3.0. The vulnerability arises in the API endpoint GET /api/problems/:id, which discloses challenge hints in plaintext within the question object. This occurs regardless of whether the user has unlocked the hints through point deduction. As a result, users can access all hints for free, bypassing the platform's intended restrictions and undermining the integrity of the challenge system.

Impact

The vulnerability allows users to access hints without using the designated hint button, creating a business logic flaw that diminishes the challenge's integrity.

Remediation

Users can update to Flag Forge version 2.3.0, where this vulnerability has been patched. The patch involves removing hints from the default problem response and adding a dedicated hint unlock API that deducts user points, records the unlocked state, and returns the hint text only if unlocked.