CVE-2025-53922
Authorization Bypass in Galette Group Manager on Contributions
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| galette | galette | 1.2.0 |
| galette | galette | 1.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an access control bypass in the Galette membership management application. Specifically, users logged in as group managers can bypass intended restrictions on Contributions and Transactions, allowing them to perform actions they should not be authorized to do. It is classified as an Incorrect Authorization issue (CWE-863). The flaw affects versions 1.1.4 up to but not including 1.2.0, where it has been fixed. [1]
How can this vulnerability impact me? :
This vulnerability can allow group managers to access or modify Contributions and Transactions without proper authorization. This could lead to unauthorized financial changes or data manipulation within the membership management system, potentially causing financial discrepancies or misuse of funds. [1]
What immediate steps should I take to mitigate this vulnerability?
Upgrade Galette to version 1.2.0 or later, as this version contains the fix for the access control bypass vulnerability affecting versions 1.1.4 and prior. [1]