Impact
Capgo versions released before 12.128.2 contain an authentication bypass that allows attackers to send HTTP OPTIONS requests to the /build/upload/:jobId/* endpoint. The bypass forces the tusProxy logic to process requests with invalid credentials and consistently return 500 errors. Repeating this behavior can exhaust server resources, making the application unavailable to legitimate users. This weakness corresponds to CWE-306, an authentication bypass issue.
Affected Systems
The vulnerability affects Capgo applications that are earlier than version 12.128.2, regardless of deployment environment or hosting provider.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity, and the EPSS score is unavailable, suggesting uncertainty about the exploitation likelihood. Because the bypass is triggered by unauthenticated OPTIONS requests, an attacker needs only remote network access and the ability to send HTTP traffic. The vulnerability is not listed in CISA’s KEV catalog, but its remote and unauthenticated nature makes it attractive for opportunistic denial‑of‑service attacks.
OpenCVE Enrichment