CVE-2025-66224
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66224
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OrangeHRM versions 5.0 to 5.7 is due to an input-neutralization flaw in the mail configuration and delivery workflow. User-controlled input is directly incorporated into the system's sendmail command without proper sanitization or constraints. This allows unintended sendmail behaviors during email processing, enabling the application to write files on the server. If these files are placed in web-accessible locations, an attacker can execute malicious content on the server. The root cause is constructing OS-level command strings using unsanitized input in the mail-sending logic. The issue is fixed in version 5.8.

Impact Analysis

This vulnerability can lead to remote code execution by allowing attackers to write and execute malicious files on the server through the mail-handling process. This compromises the server's security, potentially leading to unauthorized access, data breaches, and control over the affected system.

Mitigation Strategies

Upgrade OrangeHRM to version 5.8 or later, where the vulnerability has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart