CVE-2025-53544
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trilium | trilium | 0.97.0 |
| trilium | trilium | 0.96.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53544 is a vulnerability in Trilium Notes (versions below 0.97.0) where the brute-force protection can be bypassed on the initial sync seed retrieval endpoint (/api/setup/sync-seed). This endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting, making brute-force attacks much easier. Since Trilium is a single-user app that only requires a password (no username), and the password is sent in a specific HTTP header, attackers can repeatedly try passwords without being blocked. This vulnerability enables attackers to gain unauthorized access to the application. [3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers to brute-force the login password without restriction, potentially gaining unauthorized access to the Trilium Notes application. Since Trilium is a single-user app with powerful features, attackers who succeed can execute server-side code through endpoints like /api/script/exec or /api/script/run/nodeid, leading to possible full compromise of the application. The lack of rate limiting on the vulnerable endpoint makes exploitation much more feasible, especially if the application is exposed to the internet. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing the /api/setup/sync-seed endpoint for brute-force attempts without rate limiting. A proof-of-concept Python script exists that sends concurrent GET requests to /api/setup/sync-seed with different base64-encoded passwords in the 'trilium-cred' HTTP header and checks for HTTP 200 responses indicating successful authentication. Network detection can involve inspecting traffic for repeated requests to this endpoint with varying 'trilium-cred' headers. Specific commands are not provided, but using tools like curl or custom scripts to send requests to /api/setup/sync-seed with different passwords and observing responses can help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Trilium Notes to version 0.97.0 or later, where the vulnerability is fixed by adding rate limiting middleware to the /api/setup/sync-seed and /api/login/sync endpoints. This patch prevents brute-force attacks by enforcing request rate limits on pre-authentication endpoints. Until upgrading, restricting access to these endpoints (e.g., via firewall rules) or disabling internet exposure can reduce risk. [1, 2, 3]