CVE-2025-7897
BaseFortify
Publication date: 2025-07-20
Last updated on: 2025-11-20
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| harry0703 | moneyprinterturbo | to 1.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7897 is a critical vulnerability in MoneyPrinterTurbo up to version 1.2.6 where the authentication mechanism has been disabled or bypassed. Specifically, the function verify_token in the file app/controllers/base.py, which is supposed to enforce authentication, is not used anywhere in the code. This results in all API endpoints being accessible without any authentication, allowing unauthorized users to access sensitive functionalities such as video generation, task management, and file uploads. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to bypass authentication and gain unauthorized access to all API functionalities. This can lead to unauthorized use of sensitive operations, potential data exposure, manipulation, or deletion, and overall compromise of the system's confidentiality, integrity, and availability. Since no authentication is required, exploitation is easy and can be performed remotely without credentials. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the API endpoints of MoneyPrinterTurbo version 1.2.6 for authentication bypass. Since the verify_token function is not used and authentication is missing, you can attempt to access API endpoints without any authentication tokens or credentials. For example, you can use curl commands to send requests to the API endpoints and check if access is granted without authentication. Example command: curl -X GET http://<target>/api/endpoint -v (replace /api/endpoint with actual API paths). If the response is successful without authentication headers or tokens, the system is vulnerable. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected MoneyPrinterTurbo software version 1.2.6 with an alternative solution, as no known countermeasures or patches are currently available. Restricting network access to the API endpoints and implementing external authentication or firewall rules to block unauthorized access can also help reduce risk until a fix or update is available. [2]