CVE-2025-48952
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-04

Last updated on: 2025-08-06

Assigner: GitHub, Inc.

Description
NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP. In vulnerable versions of the application, a password comparison is performed using the `==` operator at line 40 in front/index.php. This introduces a security issue where specially crafted "magic hash" values that evaluate to true in a loose comparison can bypass authentication. Because of the use of `==` instead of the strict `===`, different strings that begin with 0e and are followed by only digits can be interpreted as scientific notation (i.e., zero) and treated as equal. This issue falls under the Login Bypass vulnerability class. Users with certain "weird" passwords that produce magic hashes are particularly affected. Services relying on this logic are at risk of unauthorized access. Version 25.6.7 fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2025-08-06
Generated
2026-05-07
AI Q&A
2025-07-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-48952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netalertx netalertx to 25.6.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in NetAlertX prior to version 25.6.7 allows attackers to bypass password verification due to the use of loose comparison (==) in PHP when checking passwords. Specifically, passwords that produce SHA-256 hashes starting with '0e' followed only by digits can be interpreted as zero in scientific notation, causing the comparison to evaluate as true even if the passwords do not match. This enables unauthorized users to bypass authentication.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized access to services relying on NetAlertX authentication, as attackers can bypass password verification. This compromises confidentiality, integrity, and availability of the system, potentially allowing attackers to gain control or access sensitive information.


What immediate steps should I take to mitigate this vulnerability?

Upgrade NetAlertX to version 25.6.7 or later, as this version fixes the authentication bypass vulnerability caused by loose comparison of SHA-256 magic hashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart