CVE-2025-66507
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66507
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1panel 1panel 2.0.13
fit2cloud 1panel to 2.0.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in 1Panel versions 2.0.13 and below allows an unauthenticated attacker to disable CAPTCHA verification by manipulating a client-controlled parameter that the server trusts without proper validation. This bypasses CAPTCHA protections, enabling automated login attempts.

Impact Analysis

By bypassing CAPTCHA protections, attackers can perform automated login attempts, which significantly increases the risk of account takeover (ATO). This can lead to unauthorized access to user accounts and potential compromise of the server management panel.

Mitigation Strategies

Upgrade 1Panel to version 2.0.14 or later, as this version fixes the vulnerability that allows CAPTCHA bypass. Until the upgrade can be applied, consider implementing additional protections such as rate limiting login attempts and monitoring for automated login behaviors to reduce the risk of account takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart