CVE-2025-49591

CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/lib/http-worker.js#L356-L364
https://github.com/cryptpad/cryptpad/commit/0c5d4bbf5e5206d53470ea86a664fa2b703fb611
https://github.com/cryptpad/cryptpad/commit/f624f9d457d36040f57c7598d98a8b9461b79837
https://github.com/cryptpad/cryptpad/security/advisories/GHSA-xq5x-wgcm-3p33

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-18 23:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-49591

Mitre link : CVE-2025-49591

CVE.ORG link : CVE-2025-49591

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-287

Improper Authentication

{"id": "CVE-2025-49591", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-18T23:15:19.403", "references": [{"url": "https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/lib/http-worker.js#L356-L364", "source": "security-advisories@github.com"}, {"url": "https://github.com/cryptpad/cryptpad/commit/0c5d4bbf5e5206d53470ea86a664fa2b703fb611", "source": "security-advisories@github.com"}, {"url": "https://github.com/cryptpad/cryptpad/commit/f624f9d457d36040f57c7598d98a8b9461b79837", "source": "security-advisories@github.com"}, {"url": "https://github.com/cryptpad/cryptpad/security/advisories/GHSA-xq5x-wgcm-3p33", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0."}, {"lang": "es", "value": "CryptPad es una suite de colaboraci\u00f3n. Antes de la versi\u00f3n 2025.3.0, la aplicaci\u00f3n de la autenticaci\u00f3n de dos factores (2FA) en CryptPad pod\u00eda eludirse f\u00e1cilmente debido a la implementaci\u00f3n deficiente de los controles de acceso. Un atacante que compromete las credenciales de un usuario puede acceder a la cuenta de la v\u00edctima, incluso si esta tiene configurada la 2FA. Esto se debe a que la 2FA no se aplica si el par\u00e1metro de ruta no tiene 44 caracteres, lo cual puede eludirse simplemente codificando un solo car\u00e1cter en la ruta. Este problema se ha corregido en la versi\u00f3n 2025.3.0."}], "lastModified": "2025-06-23T20:16:59.783", "sourceIdentifier": "security-advisories@github.com"}