CVE-2025-14317

Summary

In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a loyaltyGuestId parameter. Server does not verify the permissions required to obtain the data.

This issue was fixed in version 915 (Android) and 7.4.1 (iOS).

Affected Software

VendorProductVersion RangeStatus
EmaintenanceCrazy Bubble Tea0 < 915affected
EmaintenanceCrazy Bubble Tea0 < 7.4.1affected

Weaknesses

  • CWE-359: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References