EUVD-2025-17800
GHSA-7rhv-xm4q-wh42
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.
Analysis
Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.
Technical Context
Erxes is a cloud-based CRM and engagement platform that uses GraphQL as its primary API interface. The vulnerability stems from improper input validation and trust of HTTP headers for authentication decisions. The application likely implements custom authentication middleware that extracts user identity from a 'User' HTTP header without validating its authenticity or source. This represents a fundamental violation of secure authentication principles—HTTP headers are client-controlled and can be trivially forged unless cryptographically validated. The root cause falls under CWE-284 (Improper Access Control) with specific application to authentication bypass (CWE-287 sublcass). Rather than using cryptographically-signed tokens (JWT, OAuth2, session cookies with secure flags), the application trusts explicit user identifiers in headers, allowing complete header spoofing. This affects all GraphQL operations exposed by Erxes, including user data queries, CRM operations, and administrative functions.
Affected Products
Erxes platform versions prior to 1.6.1. CPE would be approximately 'cpe:2.3:a:erxes:erxes:*:*:*:*:*:*:*:*' with version matching '<1.6.1'. Affected versions include all 1.6.0 and earlier releases. Multi-tenant deployments and self-hosted instances are equally vulnerable. Cloud-hosted Erxes SaaS instances should be prioritized for immediate patch deployment. Any integration or deployment utilizing Erxes as a CRM backend (marketing automation, customer support, sales pipelines) exposes the entire user database and transaction history to unauthorized access.
Remediation
Immediate actions: (1) Upgrade Erxes to version 1.6.1 or later—this is a mandatory patch with no viable workaround for complete closure. (2) If immediate upgrade is not possible, implement network-level mitigations: restrict GraphQL endpoint access via IP allowlisting, require request signing via reverse proxy (AWS WAF, Cloudflare, ModSecurity), and monitor for suspicious 'User' header injection attempts in access logs. (3) Implement strict authentication validation at the application level: replace header-based user identification with cryptographically-signed JWT tokens or session cookies with HttpOnly/Secure flags. (4) Conduct security audit of all custom authentication middleware; validate that all API endpoints enforce proper authorization checks independent of HTTP headers. (5) Review access logs for exploitation evidence: grep for anomalous 'User' header values, cross-tenant access patterns, or requests from unexpected source IPs. (6) Reset passwords for all administrative and service accounts as precaution against credential compromise during the vulnerability window. Vendor advisory: Consult official Erxes security release notes for 1.6.1 for detailed patching instructions and rollback procedures if needed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today