N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-14881

CVE-2025-14881: pretix has Broken Access Control Allowing Cross-User File Access via UUID

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-14881

CVE-2025-14881:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pretix	pip	>= 2025.10.0, < 2025.10.1	2025.10.1
pretix	pip	>= 2025.9.0, < 2025.9.3	2025.9.3
pretix	pip	< 2025.8.3	2025.8.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as CVE-2025-14881, is a Broken Access Control issue in pretix. Multiple endpoints allowed unauthorized access to files stored as CachedFile objects. The root cause was that these endpoints retrieved files using their unique identifiers (UUIDs or primary keys) without properly verifying that the user making the request was the one who originally created or was granted access to the file.

The patch addresses this by introducing a session-binding mechanism. When a CachedFile is created, it is now explicitly bound to the user's current session (or API token) by storing a derived session key in the CachedFile.session_key field. The new allowed_for_session method was added to the CachedFile model to centralize the authorization logic.

My analysis of the commit 4b5651862c57c6e384822d1d23292342126c479a reveals several functions where this check was missing and subsequently added. These functions are the direct points of vulnerability:

ExportersViewSet.download: This API endpoint for downloading exported files fetched the file by ID without checking ownership.
DownloadView.object: A generic view for downloading files, it had a weak session check that was replaced with the new, more secure method.
ImportView.file: This property, used in a data import view, fetched an uploaded file without verifying the user's session.
ShredderStart.get_context_data: This view, used for data shredding, accessed file metadata without proper authorization.
BaseEditor.post: This view allowed fetching a file via a POST request parameter without sufficient checks.

During an exploit, a profiler would show one of these function names in the stack trace when an attacker makes a request with a known file ID that does not belong to them. The functions identified are the exact locations where the insufficient authorization occurred.

Vulnerable functions

ExportersViewSet.download

src/pretix/api/views/exporters.py

The `download` function in the `ExportersViewSet` class was vulnerable to an authorization bypass. It retrieved a `CachedFile` object using its ID from the URL without verifying if the requesting user was authorized to access it. An attacker who knew the ID of a file could download it, even if it belonged to another user. The patch adds a call to `cf.allowed_for_session` to ensure the file is bound to the current user's session.

DownloadView.object

src/pretix/base/views/cachedfiles.py

The `object` method in the `DownloadView` class, which is responsible for retrieving a file for download, had an insufficient access control check. While it checked for a `session_key`, this mechanism was not used consistently and could be bypassed. The vulnerability allowed an attacker to access files they were not authorized to by providing the file's ID. The patch replaces the weak check with a call to the more robust `allowed_for_session` method.

ImportView.file

src/pretix/control/views/modelimport.py

The `file` property within a view in `modelimport.py` (likely `ImportView`) directly fetched a `CachedFile` using its primary key from the URL kwargs without any authorization check. This allowed an attacker to access or process another user's imported file by guessing or obtaining its ID. The patch adds a check using `allowed_for_session` to ensure the file belongs to the current user's session.

ShredderStart.get_context_data

src/pretix/control/views/shredder.py

The `get_context_data` method in the `ShredderStart` view retrieved a `CachedFile` for data shredding operations based on its primary key. It lacked a check to verify if the file was associated with the current user, allowing an attacker to potentially access and view metadata of another user's file by providing its ID. The patch introduces the `allowed_for_session` check to prevent this.

BaseEditor.post

src/pretix/control/views/pdf.py

The `post` method in the `BaseEditor` class was vulnerable because it fetched a `CachedFile` object using an ID from the POST data without sufficient validation. An attacker could potentially use this to access an arbitrary file by its ID. The patch mitigates this by adding a `web_download=True` filter, restricting access only to files explicitly marked for web download, though the primary fix is the session binding implemented elsewhere.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-14881: pretix has Broken Access Control Allowing Cross-User File Access via UUID

CVE-2025-14881:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-14881: pretix has Broken Access Control Allowing Cross-User File Access via UUID

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI