The Tarkov Data Manager suffers an authentication bypass vulnerability that allows an unauthenticated user to gain full administrative access to its admin panel. The flaw arises from a JavaScript prototype property access issue combined with loose equality type coercion, which is an example of insecure deserialization and type confusion weaknesses (CWE‑1321, CWE‑287, CWE‑843). The consequence is that an attacker can read, modify, or delete all item data managed by the application, potentially disrupting game balance and achieving unauthorized control over in‑game assets. The vulnerability directly impacts confidentiality, integrity, and availability of the managed data. The description states that any unauthenticated user can exploit this flaw via the login endpoint, implying that the exposure is through the web interface.

Vendors and products affected include the-hideout’s Tarkov Data Manager. Versions prior to 02 January 2025 are impacted. No specific version string is listed, so any deployment of Tarkov Data Manager built before the release of the January 2, 2025 fix commits is considered vulnerable.

The flaw scores a nine point eight CVSS score, indicating a critical severity, yet its EPSS score is below one percent, suggesting that it is not among the most frequently exploited bugs. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by sending a crafted HTTP request to the login endpoint, exploiting the prototype pollution and type coercion to bypass authentication without needing valid credentials. No special privileges or environment configuration is required beyond remote network access to the web interface.