CVE-2025-62512
User Enumeration Vulnerability in Piwigo Password Reset Function
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| piwigo | piwigo | From 15.0.0 (inc) to 15.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-62512 is a user enumeration vulnerability in Piwigo's password reset functionality affecting version 15.5.0 and likely earlier 15.x releases."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the endpoint password.php?action=lost returns different messages depending on whether the supplied username or email exists in the system.'}, {'type': 'paragraph', 'content': 'For non-existent accounts, the response is "Invalid username or email," while for existing accounts, the responses vary among messages like "Password reset is not allowed for this user," "User \\"%s\\" has no email address, password reset is not possible," "Check your email for the confirmation link," or "Error sending email."'}, {'type': 'paragraph', 'content': 'This difference in responses allows an unauthenticated attacker to confirm valid usernames or email addresses in the system, enabling user enumeration.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to determine whether specific usernames or email addresses exist in the Piwigo system.
Such user enumeration can facilitate targeted phishing attacks, brute-force attempts, or social engineering attacks by revealing valid user identifiers.
While it does not directly impact system confidentiality, integrity, or availability, it exposes user privacy by leaking information about valid accounts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending POST requests to the endpoint password.php?action=lost with different usernames or email addresses and observing the response messages.'}, {'type': 'paragraph', 'content': 'Distinct response messages indicate whether the username or email exists in the system, which confirms the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, using curl commands to test different inputs can reveal the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST -d "username=knownuser" https://your-piwigo-site/password.php?action=lost'}, {'type': 'list_item', 'content': 'curl -X POST -d "username=unknownuser" https://your-piwigo-site/password.php?action=lost'}, {'type': 'paragraph', 'content': 'Comparing the responses such as "Invalid username or email" versus messages like "Check your email for the confirmation link" or "Password reset is not allowed for this user" indicates user enumeration is possible.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Since no patches are available at the time of reporting, the recommended immediate mitigation is to normalize the response messages from the password reset endpoint.'}, {'type': 'paragraph', 'content': 'Modify the application to always return a generic, non-disclosing message such as: "If the username or email exists in our system, you will receive an email with reset instructions."'}, {'type': 'paragraph', 'content': 'This prevents attackers from distinguishing valid from invalid usernames or emails, thereby mitigating user enumeration.'}] [1]