CVE-2025-23202 - Critical Injection Vulnerability in ROBLOX Bible Module Exposes Games to API Attacks

---

Summary:
If you’ve ever used the Bible Module in your ROBLOX game, there’s a serious security issue you need to know about. In releases prior to version ..3, the FetchVerse and FetchPassage functions didn’t check input values properly. That means attackers could trick your game into making strange or malicious API requests. The maintainers have fixed it in version ..3, and you should update right away because there’s no other workaround. Let’s take a deeper look.

What is the Bible Module?

Bible Module lets ROBLOX game developers pull Bible verses and passages into their games. It’s great for educational, religious, or storytelling games that want to show text straight from biblical sources.

Where’s the Problem?

The functions FetchVerse and FetchPassage are central to how the module works. They build URLs for API requests using values provided by the user, like book name, chapter, and verse. In versions up to ..2, there was no input validation, encoding, or sanitization. An attacker could supply unexpected input that would manipulate the resulting API query—this is called an injection attack.

Here's a stripped-down example of how the vulnerable code might look before the fix

function FetchVerse(book, chapter, verse)
    local url = "https://bibleapi.com/v1/"; .. book .. "/" .. chapter .. ":" .. verse
    return HttpService:GetAsync(url)
end

If a malicious user supplies crafty strings like "Genesis?foo=bar" as the book parameter, the URL can become unpredictable or even dangerous. They could append extra queries, access other resources, or steal data.

The resulting API call would be

https://bibleapi.com/v1/Genesis?admin=true/1:1

Here’s a simple test showing how to use this vulnerability

local Bible = require(game.ServerScriptService.BibleModule)
local verse = Bible.FetchVerse("Genesis?foo=bar&", "1", "1")
print(verse) -- Will show a response, potentially unintended

No Workaround, Update Required

There is no configuration or code-style workaround; the only fix is to update the Bible Module to at least version ..3, which validates and sanitizes user input before building URLs.

- Secure code example (as of v..3)

function SafeFetchVerse(book, chapter, verse)
    -- Accept only alphabetic book names
    if not string.match(book, "^[A-Za-z]+$") then
        error("Invalid book name")
    end
    if not tonumber(chapter) or not tonumber(verse) then
        error("Chapter and verse must be numbers")
    end
    local safe_url = "https://bibleapi.com/v1/"; .. book .. "/" .. chapter .. ":" .. verse
    return HttpService:GetAsync(safe_url)
end

Who’s Affected?

Any ROBLOX game using Bible Module versions below ..3 is at risk.
This includes both public and private games that let players request or view Bible verses by typing input or picking options controlled by users.

References

- Official Module Page (ROBLOX)
- GitHub Advisory Database: CVE-2025-23202 (pending official entry)
- ROBLOX Developer Documentation
- OWASP: Injection Attacks

Conclusion

CVE-2025-23202 is a critical, easy-to-exploit vulnerability. All ROBLOX game developers using the Bible Module must upgrade to version ..3 or newer now. Failing to do so could put your games and their users at significant risk.

If you maintain a popular ROBLOX game or you share your scripts with others, double-check your modules and dependencies. Staying up-to-date is the only way to stay safe.


*Original research and demonstration provided exclusively for this post.*

Timeline

Published on: 01/17/2025 21:15:11 UTC