CVE-2025-58443
BaseFortify
Publication date: 2025-09-06
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fogproject | fogproject | to 1.5.10.1673 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58443 is a critical authentication bypass vulnerability in FOGProject versions prior to 1.5.10.1693 and 1.6.0-beta.2225. The vulnerability exists in the function is_authorized() which incorrectly grants access if the HTTP request contains the header 'X-Requested-With: XMLHttpRequest', regardless of whether the user is authenticated. This allows an attacker to bypass authentication and perform unauthorized actions such as dumping the full SQL database, conducting Server-Side Request Forgery (SSRF) attacks, and listing arbitrary files on the server. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to the entire SQL database without credentials, exposing sensitive data such as hashed and plaintext passwords for FTP and other services. Additionally, attackers can exploit it to perform SSRF attacks and arbitrary file listings on the server, potentially leading to further compromise of the system and data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the FOGProject server for the presence of the header 'X-Requested-With: XMLHttpRequest' sent to vulnerable endpoints such as '/fog/management/export.php', '/fog/service/getversion.php', or '/fog/status/getfiles.php'. You can use network traffic analysis tools like tcpdump or Wireshark to filter for such requests. For example, a tcpdump command to capture suspicious HTTP requests might be: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'X-Requested-With: XMLHttpRequest'. Additionally, reviewing web server access logs for requests containing this header to the mentioned endpoints can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FOGProject to the latest patched versions: either version 1.5.10.1693 or later, or the 1.6 development branch (1.6.0-beta.2225 or later). This upgrade patches the authentication bypass vulnerability. Until the stable release on September 15, 2025, users concerned about exposure should apply these updates following the FOG Project documentation at https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version. No other effective mitigations are mentioned. [1]