CVE-2025-66289
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66289, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-29

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-29
Last Modified
2025-12-03
Generated
2026-07-06
AI Q&A
2025-11-29
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in OrangeHRM versions 5.0 to 5.7 occurs because the application does not invalidate existing user sessions when a user is disabled or when their password is changed. As a result, session cookies from active sessions remain valid indefinitely, allowing disabled users or attackers with compromised accounts to continue accessing protected pages and performing operations. The server does not revoke sessions or clean up session stores during these critical changes, making administrative disable actions ineffective and enabling unauthorized access even after account closure or password reset. This issue was fixed in version 5.8.

Impact Analysis

This vulnerability can lead to prolonged unauthorized access to the OrangeHRM system. An attacker or a disabled user can continue to use an active session to access sensitive information and perform operations despite account disablement or password changes. This increases the risk and impact of account takeover scenarios, potentially exposing sensitive HR data and administrative functions to unauthorized users.

Mitigation Strategies

Upgrade OrangeHRM to version 5.8 or later, as this version includes a patch that invalidates existing sessions when a user is disabled or a password is changed, preventing active session cookies from remaining valid indefinitely.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66289. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart