CVE-2025-54573
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cvat | computer_vision_annotation_tool | From 1.1.0 (inc) to 2.42.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in CVAT versions 1.1.0 through 2.41.0 involves the lack of email verification when using Basic HTTP Authentication. This means users could create accounts with fake email addresses and still be treated as verified users. The absence of email verification also allows bots to sign up and use the system without restriction.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized or fake users to create accounts and access the system as if they were verified. This can lead to abuse of the system through bot signups and potentially degrade the quality and security of the user base. It may also increase the risk of spam or malicious activity within the platform.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade CVAT to version 2.42.0 or later where the issue is fixed. If you are a CVAT Enterprise customer, you can apply the workaround by disabling user registration to prevent fake account creation and bot signups.