CVE-2025-54573 (GCVE-0-2025-54573)

Vulnerability from cvelistv5 – Published: 2025-07-30 14:32 – Updated: 2025-07-30 14:45
VLAI?
Summary
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE
  • CWE-287 - Improper Authentication
Assigner
References
Impacted products
Vendor Product Version
cvat-ai cvat Affected: >= 1.1.0, < 2.42.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54573",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T14:45:02.234517Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T14:45:10.490Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cvat",
          "vendor": "cvat-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.1.0, \u003c 2.42.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T14:32:03.675Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q"
        },
        {
          "name": "https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2"
        }
      ],
      "source": {
        "advisory": "GHSA-fxgh-m76j-242q",
        "discovery": "UNKNOWN"
      },
      "title": "CVAT vulnerable to email verification bypass by use of basic authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54573",
    "datePublished": "2025-07-30T14:32:03.675Z",
    "dateReserved": "2025-07-25T16:19:16.091Z",
    "dateUpdated": "2025-07-30T14:45:10.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54573\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-30T15:15:35.707\",\"lastModified\":\"2025-09-11T15:52:45.970\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue.\"},{\"lang\":\"es\",\"value\":\"CVAT es una herramienta interactiva de c\u00f3digo abierto para la anotaci\u00f3n de im\u00e1genes y videos para visi\u00f3n artificial. En las versiones 1.1.0 a 2.41.0, la verificaci\u00f3n de correo electr\u00f3nico no se aplicaba al usar la autenticaci\u00f3n HTTP b\u00e1sica. Como resultado, los usuarios pod\u00edan crear cuentas con direcciones de correo electr\u00f3nico falsas y usar el producto como usuarios verificados. Adem\u00e1s, la falta de verificaci\u00f3n de correo electr\u00f3nico deja el sistema expuesto a registros de bots y a otros usos. CVAT 2.42.0 y versiones posteriores incluyen una soluci\u00f3n para este problema. Los clientes de CVAT Enterprise tienen una soluci\u00f3n alternativa; pueden desactivar el registro para evitar este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.0\",\"versionEndExcluding\":\"2.42.0\",\"matchCriteriaId\":\"CFECB2B9-8BE0-45D7-8A9B-2D5DF510EA3A\"}]}]}],\"references\":[{\"url\":\"https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54573\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-30T14:45:02.234517Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-30T14:39:56.399Z\"}}], \"cna\": {\"title\": \"CVAT vulnerable to email verification bypass by use of basic authentication\", \"source\": {\"advisory\": \"GHSA-fxgh-m76j-242q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"cvat-ai\", \"product\": \"cvat\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.1.0, \u003c 2.42.0\"}]}], \"references\": [{\"url\": \"https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q\", \"name\": \"https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2\", \"name\": \"https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-30T14:32:03.675Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54573\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-30T14:45:10.490Z\", \"dateReserved\": \"2025-07-25T16:19:16.091Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-30T14:32:03.675Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.