CVE-2025-66507
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel | 1panel | 2.0.13 |
| fit2cloud | 1panel | to 2.0.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in 1Panel versions 2.0.13 and below allows an unauthenticated attacker to disable CAPTCHA verification by manipulating a client-controlled parameter that the server trusts without proper validation. This bypasses CAPTCHA protections, enabling automated login attempts.
How can this vulnerability impact me? :
By bypassing CAPTCHA protections, attackers can perform automated login attempts, which significantly increases the risk of account takeover (ATO). This can lead to unauthorized access to user accounts and potential compromise of the server management panel.
What immediate steps should I take to mitigate this vulnerability?
Upgrade 1Panel to version 2.0.14 or later, as this version fixes the vulnerability that allows CAPTCHA bypass. Until the upgrade can be applied, consider implementing additional protections such as rate limiting login attempts and monitoring for automated login behaviors to reduce the risk of account takeover.