CVE-2025-31120: NamelessMC Vulnerable to Cookie-Based View Count Manipulation
First published: Fri Apr 18 2025(Updated: )
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NamelessMC | <2.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-31120?
CVE-2025-31120 has been classified as a low severity vulnerability.
How do I fix CVE-2025-31120?
To fix CVE-2025-31120, upgrade to NamelessMC version 2.2.0 or later.
What kind of attack does CVE-2025-31120 enable?
CVE-2025-31120 enables unauthenticated attackers to artificially increase the view count on forum pages.
Which versions of NamelessMC are affected by CVE-2025-31120?
NamelessMC versions 2.1.4 and prior are affected by CVE-2025-31120.
Is authentication required to exploit CVE-2025-31120?
No, CVE-2025-31120 can be exploited by unauthenticated users.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/tags
- agent/source
- agent/event
- vendor/namelessmc
- canonical/namelessmc