JhumanJ OpnForm CVE-2025-11441
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue.
AnalysisAI
OpnForm versions up to 1.9.3 fail to properly restrict excessive authentication attempts when the X-Forwarded-For HTTP header is manipulated, allowing remote attackers to bypass rate-limiting controls. An attacker can exploit this by spoofing their source IP address through header manipulation to conduct brute-force attacks against user credentials without triggering account lockout mechanisms. Publicly available exploit code exists; however, the CVSS score of 2.9 and EPSS percentile of 35% indicate low real-world exploitation likelihood despite the public POC, suggesting this requires specific application configurations or deployment contexts to be practically exploitable.
Technical ContextAI
OpnForm's HTTP Header Handler incorrectly trusts the X-Forwarded-For header when implementing authentication attempt throttling, a common misconfiguration in web applications deployed behind proxies or load balancers. The X-Forwarded-For header is intended to convey the original client IP in proxy chains but is trivially spoofable by unauthenticated remote clients if not validated. This violates CWE-307 (Improper Restriction of Excessive Authentication Attempts), which covers rate-limiting bypass vulnerabilities. The vulnerability exists in the component responsible for parsing and using client identity information for security controls, allowing attackers to appear as different clients with each request and evade per-IP request throttling.
RemediationAI
Upgrade OpnForm to a version containing the patch commit 11e99960e14ca986b1a001a56e7533223d2cfa5b, available in the upstream repository at https://github.com/JhumanJ/OpnForm/pull/900/commits/11e99960e14ca986b1a001a56e7533223d2cfa5b. As an interim compensating control, if OpnForm is deployed behind a reverse proxy (nginx, Apache, HAProxy), configure the proxy to validate and normalize the X-Forwarded-For header, accepting it only from trusted upstream sources and stripping user-supplied values. Alternatively, configure the application to use a fixed trusted proxy IP list and ignore X-Forwarded-For headers from untrusted sources, ensuring authentication rate-limiting uses the immediate TCP connection source IP instead of the header value. Additionally, implement a Web Application Firewall rule to flag or block requests with multiple authentication attempts from spoofed source IPs within a time window.
Share
External POC / Exploit Code
Leaving vuln.today