Impact
The vulnerability occurs in the Capgo application before version 12.128.2, where the /private/accept_invitation endpoint fails to handle an invalid magic_invite_string correctly. Instead of returning a safe 4xx error, the server responds with a generic HTTP 500 status, exposing internal processing details. This is classified as CWE‑209, which allows attackers to gain information about the system’s internal state.
Affected Systems
The affected product is Capgo, specifically any deployment of the Capgo server running a pre‑12.128.2 release. The endpoint is publicly accessible and requires only the public key to invoke the endpoint, allowing any external user to trigger the error.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. While the EPSS score is not available and the vulnerability is not listed in CISA KEV, the attack vector is straightforward: an attacker only needs to send malformed magic_invite_string values to the public endpoint. This can be automated to generate repeated 500 responses, potentially leaking system internals and creating a small but exploitable denial of service scenario.
OpenCVE Enrichment