CVE-2025-66225
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OrangeHRM versions 5.0 to 5.7 involves the password reset workflow not verifying that the username submitted in the final reset request matches the account for which the reset was initiated. An attacker who obtains a valid reset link for any account they can receive email for can modify the username parameter to reset the password of a different user, including privileged accounts, leading to full account takeover. This flaw was fixed in version 5.8.

Impact Analysis

The vulnerability allows an attacker to take over any user account, including privileged accounts, by resetting their passwords without proper verification. This can lead to unauthorized access, data breaches, and potential misuse of sensitive HR information within the OrangeHRM system.

Mitigation Strategies

Upgrade OrangeHRM to version 5.8 or later, where the vulnerability has been patched. Until the upgrade can be performed, restrict access to the password reset functionality and monitor for suspicious password reset activities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart