CVE-2025-68435
Authentication Bypass in Zerobyte API Allows Unauthorized Access
Publication date: 2025-12-17
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicotsx | zerobyte | to 0.18.5 (exc) |
| nicotsx | zerobyte | 0.19.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Zerobyte versions prior to 0.18.5 and 0.19.0 is an authentication bypass where the authentication middleware is not properly applied to some API endpoints. This means certain API endpoints can be accessed without valid session credentials, allowing unauthorized users to interact with the system.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized access to Zerobyte's API endpoints, potentially exposing sensitive backup automation functions to attackers. This is especially dangerous if Zerobyte is exposed outside of a trusted internal network, as attackers could exploit this to compromise data confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
If immediate upgrade to Zerobyte version 0.18.5 or 0.19.0 is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. Upgrading to a fixed version is strongly recommended as a permanent solution.