CVE-2025-62604
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-28

Assigner: GitHub, Inc.

Description
MeterSphere is an open source continuous testing platform. Prior to version 2.10.25-lts, a logic flaw allows retrieval of arbitrary user information. This allows an unauthenticated attacker to log in to the system as any user. This issue has been patched in version 2.10.25-lts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-28
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62604
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
metersphere metersphere to 2.10.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62604 is a logic flaw in MeterSphere's authentication process prior to version 2.10.25-lts. It allows an unauthenticated attacker to bypass normal login checks by manipulating the 'authenticate' parameter in the login request. Specifically, if this parameter is set to a value other than 'LOCAL' (e.g., 'LDAP'), the system bypasses local authentication and allows the attacker to log in as any user without valid credentials, thereby retrieving arbitrary user information. [3]

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to log in as any user without credentials, leading to unauthorized access to user information. The impact includes significant confidentiality risks as attackers can access sensitive user data. Although the impact on system integrity and availability is low, the unauthorized access can compromise user privacy and security. [3]

Compliance Impact

This vulnerability poses a significant confidentiality risk by allowing unauthorized access to user information, which can lead to violations of data protection regulations such as GDPR and HIPAA. Unauthorized disclosure of personal or sensitive data could result in non-compliance with these standards, potentially leading to legal and financial consequences. [3]

Detection Guidance

This vulnerability can be detected by attempting to exploit the authentication bypass using a crafted POST request to the /signin endpoint with a JSON payload containing a username, a false password, and the parameter "authenticate":"LDAP". For example, you can use the following curl command to test if the system is vulnerable: curl -X POST https://<target>/signin -H 'Content-Type: application/json' -d '{"username":"targetuser", "password":"wrongpass", "authenticate":"LDAP"}'. A successful login without valid credentials indicates the vulnerability is present. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade MeterSphere to version 2.10.25-lts or later, where the vulnerability has been patched. This update fixes the authentication logic flaw and also upgrades the embedded Redis dependency. Until the upgrade can be applied, consider restricting access to the MeterSphere login endpoint and monitoring for suspicious login attempts using the exploit pattern. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart