Home > Vulnerability Database > CVE-2025-49591

Mend.io Vulnerability Database

CVE-2025-49591

Good to know:

Date: June 18, 2025

CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0.

Severity Score

8.8

Related Resources (6)

Url: https://github.com/cryptpad/cryptpad/security/advisories/GHSA-xq5x-wgcm-3p33

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-49591

Url: https://github.com/cryptpad/cryptpad/commit/0c5d4bbf5e5206d53470ea86a664fa2b703fb611

Url: https://github.com/cryptpad/cryptpad/commit/f624f9d457d36040f57c7598d98a8b9461b79837

Url: https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/lib/http-worker.js#L356-L364

Url: https://www.mend.io/vulnerability-database/CVE-2025-49591

Severity Score

8.8

Weakness Type (CWE)

Improper Authentication

CWE-287

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version https://github.com/cryptpad/cryptpad.git - 2025.3.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-49591

Good to know:

Date: June 18, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?