CVE-2025-11441
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11441
EUVD
EUVD-2025-31838
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jhumanj opnform to 1.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in JhumanJ OpnForm up to version 1.9.3 involves manipulation of the HTTP header 'X-Forwarded-For' to bypass protections against excessive authentication attempts. By spoofing this header, an attacker can circumvent rate-limiting or lockout mechanisms designed to prevent brute-force login attempts, allowing repeated unauthorized login tries remotely without authentication. The vulnerability is classified under CWE-307 and related categories, and although exploitation is difficult, a public proof-of-concept exploit exists. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to perform brute-force attacks on your authentication system remotely. By bypassing the rate-limiting or lockout protections through 'X-Forwarded-For' header manipulation, attackers can attempt multiple login attempts without being blocked, potentially leading to unauthorized access or exposure of confidential information. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for suspicious or excessive authentication attempts that include manipulated 'X-Forwarded-For' headers, which may indicate attempts to bypass brute-force protections. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on unusual patterns of 'X-Forwarded-For' header values or high rates of failed login attempts from varying IP addresses in this header. Commands to detect such activity might include using tools like tcpdump or tshark to filter HTTP headers, for example: tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Forwarded-For' or tshark -Y 'http.header contains "X-Forwarded-For"' -T fields -e http.host -e http.x_forwarded_for. Additionally, reviewing application logs for repeated failed authentication attempts with varying 'X-Forwarded-For' values can help detect exploitation attempts. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the available patch identified by commit hash 11e99960e14ca986b1a001a56e7533223d2cfa5b, which addresses the issue in JhumanJ OpnForm versions up to 1.9.3. This patch fixes the improper restriction of excessive authentication attempts caused by manipulation of the 'X-Forwarded-For' header. Until the patch is applied, it is recommended to implement additional monitoring and rate-limiting controls on authentication attempts, and consider blocking or validating 'X-Forwarded-For' headers to prevent spoofing. Ensuring that brute-force protections cannot be bypassed by header manipulation is critical. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart