CVE-2025-67853
Rate Limiting Bypass in Moodle Email Service Enables Credential Enumeration
Publication date: 2026-02-03
Last updated on: 2026-02-11
Assigner: Fedora Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moodle | moodle | From 4.4.0 (inc) to 4.4.11 (exc) |
| moodle | moodle | From 4.5.0 (inc) to 4.5.8 (exc) |
| moodle | moodle | From 5.0.0 (inc) to 5.0.4 (exc) |
| moodle | moodle | 5.1.0 |
| moodle | moodle | to 4.1.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Moodle is due to a lack of proper rate limiting in the confirmation email service. Because of this flaw, a remote attacker can repeatedly attempt to enumerate or guess user credentials without being blocked or slowed down, making brute-force attacks against user accounts easier. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to perform brute-force attacks on user accounts by guessing or enumerating credentials more easily. This can lead to unauthorized access to user accounts, potentially compromising sensitive information or user data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring the confirmation email service in Moodle for unusually high or rapid numbers of requests that could indicate brute-force attempts. Network or application logs should be analyzed for repeated access to the confirmation email endpoint. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper rate limiting on the Moodle confirmation email service to restrict the number of attempts an attacker can make. Monitoring and alerting on suspicious activity targeting the confirmation email endpoint is also recommended. No specific patches or configuration commands are detailed in the provided resources. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Moodle allows attackers to enumerate or guess user credentials through a lack of proper rate limiting in the confirmation email service, facilitating brute-force attacks.
Such unauthorized access risks could lead to exposure of personal or sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user information and preventing unauthorized access.
However, the provided information does not explicitly state the direct impact on compliance with these standards.