CVE-2025-61775
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vickey | vickey | 2025.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Vickey (prior to version 2025.10.0) allows unexpired email confirmation links to be reused multiple times to send repeated confirmation emails to a verified email address. The system does not properly invalidate or restrict the reuse of these confirmation links after their initial use, leading to unintended repeated email traffic. It does not expose user data but can cause resource consumption issues. [1]
How can this vulnerability impact me? :
The vulnerability can result in unintended repeated confirmation emails being sent to verified email addresses, which may cause resource consumption and potential denial of service due to uncontrolled resource usage. However, it does not compromise user data confidentiality. The impacts include low integrity and availability concerns due to unauthorized repeated actions and resource exhaustion. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for repeated use of the same email confirmation link resulting in multiple confirmation emails sent to a verified email address. Since the issue involves reuse of unexpired confirmation links, you can check your email server logs or application logs for repeated confirmation requests from the same link or token. Commands to detect this might include searching logs for repeated confirmation endpoint hits or repeated email sends to the same address within a short time frame. For example, using grep on server logs: grep 'confirmation' /var/log/app.log | grep '<email_address>' | uniq -c to count repeated confirmation attempts. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Vickey platform to version 2025.10.0 or later, where the issue has been fixed by improving validation logic to prevent reuse of email confirmation links after completion. No workarounds are available, so applying the official patch or update is necessary to address the vulnerability. [1]