CVE-2025-53544 (GCVE-0-2025-53544)
Vulnerability from cvelistv5 – Published: 2025-08-05 00:14 – Updated: 2025-08-05 13:55
VLAI?
Title
Trilium Notes is Vulnerable to Brute-force Protection Bypass via Initial Sync Seed Retrieval
Summary
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0.
Severity ?
7.5 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TriliumNext | Trilium |
Affected:
< 0.97.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53544",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T13:55:52.241713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T13:55:55.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Trilium",
"vendor": "TriliumNext",
"versions": [
{
"status": "affected",
"version": "\u003c 0.97.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T00:14:33.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r"
},
{
"name": "https://github.com/TriliumNext/Trilium/pull/6243/commits/04c8f8a1234e8c9f4a87da187180375227b21223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TriliumNext/Trilium/pull/6243/commits/04c8f8a1234e8c9f4a87da187180375227b21223"
},
{
"name": "https://github.com/TriliumNext/Trilium/releases/tag/v0.97.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TriliumNext/Trilium/releases/tag/v0.97.0"
}
],
"source": {
"advisory": "GHSA-hw5p-ff75-327r",
"discovery": "UNKNOWN"
},
"title": "Trilium Notes is Vulnerable to Brute-force Protection Bypass via Initial Sync Seed Retrieval"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53544",
"datePublished": "2025-08-05T00:14:33.857Z",
"dateReserved": "2025-07-02T15:15:11.515Z",
"dateUpdated": "2025-08-05T13:55:55.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53544\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-05T01:15:40.920\",\"lastModified\":\"2025-08-05T14:34:17.327\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0.\"},{\"lang\":\"es\",\"value\":\"Trilium Notes es una aplicaci\u00f3n de c\u00f3digo abierto, multiplataforma y jer\u00e1rquica para tomar notas, enfocada en la creaci\u00f3n de grandes bases de conocimiento personales. En versiones anteriores a la 0.97.0, una omisi\u00f3n de la protecci\u00f3n contra ataques de fuerza bruta en el endpoint de recuperaci\u00f3n de la semilla de sincronizaci\u00f3n inicial permite a atacantes no autenticados adivinar la contrase\u00f1a de inicio de sesi\u00f3n sin activar la limitaci\u00f3n de velocidad. Trilium es una aplicaci\u00f3n monousuario que no requiere nombre de usuario, y la omisi\u00f3n de la protecci\u00f3n contra ataques de fuerza bruta facilita considerablemente su explotaci\u00f3n. Varias funciones de Trilium (como la autenticaci\u00f3n multifactor, compartir notas y el gestor de solicitudes personalizado) indican que Trilium puede estar expuesto a internet. Esto se ha corregido en la versi\u00f3n 0.97.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"references\":[{\"url\":\"https://github.com/TriliumNext/Trilium/pull/6243/commits/04c8f8a1234e8c9f4a87da187180375227b21223\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/TriliumNext/Trilium/releases/tag/v0.97.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53544\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-05T13:55:52.241713Z\"}}}], \"references\": [{\"url\": \"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-05T13:55:45.584Z\"}}], \"cna\": {\"title\": \"Trilium Notes is Vulnerable to Brute-force Protection Bypass via Initial Sync Seed Retrieval\", \"source\": {\"advisory\": \"GHSA-hw5p-ff75-327r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"TriliumNext\", \"product\": \"Trilium\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.97.0\"}]}], \"references\": [{\"url\": \"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r\", \"name\": \"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hw5p-ff75-327r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/TriliumNext/Trilium/pull/6243/commits/04c8f8a1234e8c9f4a87da187180375227b21223\", \"name\": \"https://github.com/TriliumNext/Trilium/pull/6243/commits/04c8f8a1234e8c9f4a87da187180375227b21223\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/TriliumNext/Trilium/releases/tag/v0.97.0\", \"name\": \"https://github.com/TriliumNext/Trilium/releases/tag/v0.97.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307: Improper Restriction of Excessive Authentication Attempts\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-05T00:14:33.857Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-53544\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-05T13:55:55.320Z\", \"dateReserved\": \"2025-07-02T15:15:11.515Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-05T00:14:33.857Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…