CVE-2025-22144

CriticalPublic PoC

Published: 13 January 2025

Published

13 January 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Security Summary

CVE-2025-22144 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in NamelessMC, a free website software for Minecraft servers. The flaw stems from improper handling of password reset codes during user validation. Specifically, when an account is approved via email, the reset_code remains NULL, but manual validation by a user with admincp.core.emails or admincp.users.edit permissions sets the reset_code to an empty value instead of NULL. This enables unauthorized password resets. The issue is linked to CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction by sending a request to the /forgot_password/ endpoint (e.g., http://localhost/nameless/index.php?route=/forgot_password/&c=). This allows the attacker to reset the password of any user account, resulting in full account takeover and potential compromise of associated Minecraft server access or other linked resources.

The NamelessMC GitHub security advisory (GHSA-p883-7496-x35p) and release notes for version 2.1.3 confirm the issue has been fixed in that update, urging all users to upgrade immediately. No workarounds are available.

Details

CWE(s): CWE-610CWE-640

Affected Products

namelessmc

nameless

≤ 2.1.3

References

https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3
Release Notes · security-advisories@github.com
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0