CVE-2025-56332
Published: 30 December 2025
Description
Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates insecure default configurations in fosrl/pangolin by requiring establishment, documentation, and enforcement of secure configuration settings for system components.
Limits and documents permitted actions without identification or authentication, preventing unauthorized access to Pangolin resources via authentication bypass.
Enforces approved access authorizations and policies, countering authentication bypass vulnerabilities that allow logical access to sensitive resources.
Security SummaryAI
CVE-2025-56332 is an authentication bypass vulnerability in fosrl/pangolin versions v1.6.2 and prior, caused by an insecure default configuration. This flaw allows attackers to access Pangolin resources without proper authentication.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), making it exploitable by unauthenticated attackers over the network with low attack complexity and no user interaction required. Exploitation grants high confidentiality and integrity impacts, enabling unauthorized access and potential modification of sensitive Pangolin resources, while availability remains unaffected. It is associated with CWE-1188 (Insecure Default Initialization of Resource).
Mitigation guidance and additional details are available in advisories at https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75 and the project repository https://github.com/fosrl/pangolin.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-56332 is an authentication bypass in a network-accessible service (AV:N/PR:N), directly enabling exploitation of a public-facing application for unauthorized access.