CVE-2025-8546
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-09-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pybbs_project | pybbs | to 6.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-804 | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8546 is a vulnerability in the atjiu pyBBS project (version 6.0.0 and earlier) involving the CAPTCHA implementation in the frontend login and registration functions. The CAPTCHA codes do not automatically refresh and can be reused multiple times, allowing attackers to bypass CAPTCHA protections. Additionally, the registration function leaks information by revealing if a username already exists, enabling attackers to enumerate valid usernames via brute-force attacks. Once valid usernames are identified, attackers can attempt password brute-forcing on the login endpoint. The vulnerability allows remote attackers to bypass CAPTCHA verification and facilitates credential brute-forcing. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to bypass CAPTCHA protections designed to prevent automated login attempts. Attackers can enumerate valid usernames due to information leakage during registration and then perform password brute-force attacks on those accounts. This can lead to unauthorized access to user accounts, potentially compromising user data and system integrity. Since the attack can be performed remotely without authentication, it increases the risk of automated attacks and unauthorized access. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for repeated reuse of the same CAPTCHA value in login or registration attempts, as the CAPTCHA does not refresh automatically. Additionally, attempts to enumerate usernames can be detected by observing repeated registration requests that trigger "Username already exists" responses. A practical approach is to use web application security testing tools like Burp Suite to automate username enumeration and password brute-forcing attempts against the /api/register and /api/login endpoints. Specific commands are not provided in the resources, but using Burp Suite's Intruder or Repeater features to test for username enumeration and CAPTCHA reuse is recommended. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit ecaf8d46944fd03e3c4ea05698f8acf0aaa570cf, which modifies the pybbs code to remove the CAPTCHA from the user session immediately after validation, preventing reuse. This patch affects multiple controller methods including adminlogin, login, register, sms_code, and mobile_login. Applying this patch ensures that CAPTCHA codes are one-time use only, effectively mitigating the CAPTCHA bypass vulnerability. Additionally, monitoring and limiting repeated failed login or registration attempts can help reduce brute-force risks until the patch is applied. [2, 4]