CVE-2025-25206
Published: 14 February 2025
Description
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Security Summary
CVE-2025-25206 is an input validation vulnerability (CWE-89) affecting eLabFTW, an open source electronic lab notebook used in research labs. In versions prior to 5.1.15, the flaw allows authenticated users to access sensitive information stored in the database, such as login tokens and other confidential content, due to improper handling of inputs.
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). Successful exploitation enables reading of sensitive data, potentially leading to privilege escalation, particularly when cookies are enabled, which is the default configuration.
The eLabFTW release notes and GitHub security advisory recommend upgrading to version 5.1.15, which addresses the issue through corrected input validation. No workarounds are available. Relevant resources include the release page at https://github.com/elabftw/elabftw/releases/tag/5.1.15 and the advisory at https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web app allows authenticated low-priv users to read DB data including login tokens, enabling exploitation of public-facing app (T1190), privilege escalation (T1068), and access to unsecured credentials (T1552).