Description

CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0.

INFO

Published Date :

2025-06-18T22:15:16.890Z

Last Modified :

2025-06-23T16:42:24.165Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49591 vulnerability.

Vendors Products
Xwiki
  • Cryptpad
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49591.

URL Resource
https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/lib/http-worker.js#L356-L364 cve-icon cve-icon
https://github.com/cryptpad/cryptpad/commit/0c5d4bbf5e5206d53470ea86a664fa2b703fb611 cve-icon cve-icon
https://github.com/cryptpad/cryptpad/commit/f624f9d457d36040f57c7598d98a8b9461b79837 cve-icon cve-icon
https://github.com/cryptpad/cryptpad/security/advisories/GHSA-xq5x-wgcm-3p33 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact