CVE-2025-47776

CVE-2025-47776 is a critical authentication bypass vulnerability in Mantis Bug Tracker (MantisBT), an open-source issue tracking system, affecting versions 2.27.1 and earlier. The flaw arises from the incorrect use of loose equality comparison (==) instead of strict equality (===) in the authentication code when using the MD5 login method. This triggers PHP type juggling, where certain MD5 password hashes represented in scientific notation are interpreted as numbers, specifically allowing hashes that evaluate to zero to match incorrectly. The vulnerability is rated 9.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-305.

An unauthenticated attacker with network access can exploit this vulnerability if they know the victim's username and have access to an account whose password hash evaluates to zero. By entering any password whose MD5 hash also evaluates to zero during login, the attacker can impersonate the victim without knowing their actual password, gaining unauthorized access to the account. This enables high-impact confidentiality and integrity violations, such as data exfiltration or modification.

The vulnerability is fixed in MantisBT version 2.27.2. The GitHub security advisory (GHSA-4v8w-gg5j-ph37) and the fixing commit (966554a19cf1bdbcfbfb3004766979faa748f9a2) detail the patch, which replaces the loose comparison with a strict one to prevent type juggling. Security practitioners should immediately upgrade affected instances to version 2.27.2 or later.