CVE-2025-66289
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OrangeHRM versions 5.0 to 5.7 occurs because the application does not invalidate existing user sessions when a user is disabled or when their password is changed. As a result, session cookies from active sessions remain valid indefinitely, allowing disabled users or attackers with compromised accounts to continue accessing protected pages and performing operations. The server does not revoke sessions or clean up session stores during these critical changes, making administrative disable actions ineffective and enabling unauthorized access even after account closure or password reset. This issue was fixed in version 5.8.

Impact Analysis

This vulnerability can lead to prolonged unauthorized access to the OrangeHRM system. An attacker or a disabled user can continue to use an active session to access sensitive information and perform operations despite account disablement or password changes. This increases the risk and impact of account takeover scenarios, potentially exposing sensitive HR data and administrative functions to unauthorized users.

Mitigation Strategies

Upgrade OrangeHRM to version 5.8 or later, as this version includes a patch that invalidates existing sessions when a user is disabled or a password is changed, preventing active session cookies from remaining valid indefinitely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66289. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart