What is the CVSS score of CVE-2025-49591?

CVE-2025-49591 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.2%.

Which versions of Cryptpad are affected by CVE-2025-49591?

CryptPad users with Two-Factor Authentication enabled face immediate account compromise risk due to a critical authentication bypass vulnerability affecting all versions prior to 2025.3.0.. A patch is available.

Is there a public PoC exploit available for CVE-2025-49591?

Yes, a public proof-of-concept exploit is available for CVE-2025-49591. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-49591?

Within 24 hours: Identify all CryptPad instances in your environment and current version numbers; notify users to change passwords immediately and review account access logs for suspicious activity. Within 7 days: Deploy patched CryptPad version 2025.3.0 across all instances; validate 2FA enforcement is functioning post-patch. Within 30 days: Conduct security audit of compromised accounts; implement MFA at the network/SSO level as defense-in-depth; review access logs for evidence of exploitation.

Cryptpad CVE-2025-49591

EUVD-2025-18909 CRITICAL

Improper Access Control (CWE-284)

2025-06-18 security-advisories@github.com

Authentication Bypass Cryptpad

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:49 euvd

EUVD-2025-18909

Analysis Generated

Mar 14, 2026 - 22:49 vuln.today

Patch released

Mar 14, 2026 - 22:49 nvd

Patch available

PoC Detected

Aug 11, 2025 - 18:20 vuln.today

Public exploit code

CVE Published

Jun 18, 2025 - 23:15 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0.

AnalysisAI

CryptPad versions prior to 2025.3.0 contain a critical authentication bypass vulnerability that allows attackers to circumvent Two-Factor Authentication (2FA) enforcement through a trivial path parameter manipulation. An attacker who obtains valid user credentials can bypass 2FA protection by URL-encoding a single character in the access path, gaining full account access without the second authentication factor. The vulnerability has a CVSS score of 9.1 (Critical) and requires no special privileges or user interaction to exploit.

Technical ContextAI

CryptPad is a collaboration suite that implements 2FA as a security control to protect user accounts. The vulnerability stems from improper access control enforcement (CWE-284: Improper Access Control) in the authentication logic. The 2FA validation mechanism relies on a path parameter length check (specifically requiring exactly 44 characters), which serves as the sole gating mechanism for enforcing second-factor authentication. This design flaw allows an attacker to bypass the length validation by URL-encoding a single character (e.g., converting a space or special character to %XX format), which changes the perceived path length during validation while maintaining functional routing. The affected product is CryptPad collaboration platform (CPE would be: cpe:2.3:a:cryptpad:cryptpad:*:*:*:*:*:*:*:* for versions before 2025.3.0). The root cause is insufficient input validation and reliance on a single weak parameter check rather than robust cryptographic session validation or proper state management.

RemediationAI

Immediate actions: (1) Upgrade CryptPad to version 2025.3.0 or later - this is the definitive fix that properly enforces 2FA validation. (2) For organizations unable to immediately patch: temporarily disable 2FA reliance and implement network-level access controls, IP whitelisting, or require VPN access to CryptPad instances. (3) Review access logs for any suspicious authentication patterns or path manipulation attempts that may indicate exploitation. (4) Force password reset for all users as a precautionary measure, particularly those with 2FA enabled (the 2FA was providing false security). (5) Monitor for any indicators of compromise in collaborative documents, particularly those marked sensitive. (6) For self-hosted instances, apply the patch from the official CryptPad repository immediately. Workarounds are not recommended as they do not address the fundamental authentication bypass - patching is essential. Verify patch application by testing 2FA enforcement with URL-encoded path parameters to confirm the bypass is closed.

CVE-2025-49591 vulnerability details – vuln.today

Back

Cryptpad CVE-2025-49591

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code