The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.
The vulnerability results from a combination of two mechanisms: a JavaScript prototype property access vulnerability (CWE-1321) and loose equality type coercion (CWE-843). An attacker can supply crafted input data to the login endpoint, which through prototype pollution or improper type comparison bypasses user identity verification (CWE-287). As a result, the application treats the request as authenticated and grants administrator privileges.
An attacker without any credentials gains full access to the Tarkov Data Manager admin panel, allowing them to read, modify, or delete managed Tarkov item data.
Update Tarkov Data Manager to a version containing the fixes introduced on January 2, 2025 (commit f188f0abf766cefe3f1b7b4fc6fe9dad3736174a). Details available in the vendor's references on GitHub.
Tarkov Data Manager (the-hideout/tarkov-data-manager project) in all versions released before January 2, 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTarkov Data Manager
APPTarkov< 2025-01-02