CVE-2025-62604
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metersphere | metersphere | to 2.10.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability poses a significant confidentiality risk by allowing unauthorized access to user information, which can lead to violations of data protection regulations such as GDPR and HIPAA. Unauthorized disclosure of personal or sensitive data could result in non-compliance with these standards, potentially leading to legal and financial consequences. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the authentication bypass using a crafted POST request to the /signin endpoint with a JSON payload containing a username, a false password, and the parameter "authenticate":"LDAP". For example, you can use the following curl command to test if the system is vulnerable: curl -X POST https://<target>/signin -H 'Content-Type: application/json' -d '{"username":"targetuser", "password":"wrongpass", "authenticate":"LDAP"}'. A successful login without valid credentials indicates the vulnerability is present. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade MeterSphere to version 2.10.25-lts or later, where the vulnerability has been patched. This update fixes the authentication logic flaw and also upgrades the embedded Redis dependency. Until the upgrade can be applied, consider restricting access to the MeterSphere login endpoint and monitoring for suspicious login attempts using the exploit pattern. [1, 3]
Can you explain this vulnerability to me?
CVE-2025-62604 is a logic flaw in MeterSphere's authentication process prior to version 2.10.25-lts. It allows an unauthenticated attacker to bypass normal login checks by manipulating the 'authenticate' parameter in the login request. Specifically, if this parameter is set to a value other than 'LOCAL' (e.g., 'LDAP'), the system bypasses local authentication and allows the attacker to log in as any user without valid credentials, thereby retrieving arbitrary user information. [3]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to log in as any user without credentials, leading to unauthorized access to user information. The impact includes significant confidentiality risks as attackers can access sensitive user data. Although the impact on system integrity and availability is low, the unauthorized access can compromise user privacy and security. [3]