EUVD-2025-18909CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5Description
CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0.
Analysis
CryptPad versions prior to 2025.3.0 contain a critical authentication bypass vulnerability that allows attackers to circumvent Two-Factor Authentication (2FA) enforcement through a trivial path parameter manipulation. An attacker who obtains valid user credentials can bypass 2FA protection by URL-encoding a single character in the access path, gaining full account access without the second authentication factor. The vulnerability has a CVSS score of 9.1 (Critical) and requires no special privileges or user interaction to exploit.
Technical Context
CryptPad is a collaboration suite that implements 2FA as a security control to protect user accounts. The vulnerability stems from improper access control enforcement (CWE-284: Improper Access Control) in the authentication logic. The 2FA validation mechanism relies on a path parameter length check (specifically requiring exactly 44 characters), which serves as the sole gating mechanism for enforcing second-factor authentication. This design flaw allows an attacker to bypass the length validation by URL-encoding a single character (e.g., converting a space or special character to %XX format), which changes the perceived path length during validation while maintaining functional routing. The affected product is CryptPad collaboration platform (CPE would be: cpe:2.3:a:cryptpad:cryptpad:*:*:*:*:*:*:*:* for versions before 2025.3.0). The root cause is insufficient input validation and reliance on a single weak parameter check rather than robust cryptographic session validation or proper state management.
Affected Products
CryptPad versions prior to 2025.3.0 are affected. This includes all 2025.x versions below 2025.3.0 and all earlier stable releases. Self-hosted CryptPad instances running any version before 2025.3.0 are vulnerable. SaaS offerings hosted by CryptPad should have been patched by the vendor. Specific vulnerable versions include 2025.1.0, 2025.2.x and earlier releases (2024.x and prior). The patch is available in CryptPad version 2025.3.0 and later. Organizations should check their deployment version against the CryptPad release notes at https://github.com/xwiki-labs/cryptpad or their official advisory channels.
Remediation
Immediate actions: (1) Upgrade CryptPad to version 2025.3.0 or later - this is the definitive fix that properly enforces 2FA validation. (2) For organizations unable to immediately patch: temporarily disable 2FA reliance and implement network-level access controls, IP whitelisting, or require VPN access to CryptPad instances. (3) Review access logs for any suspicious authentication patterns or path manipulation attempts that may indicate exploitation. (4) Force password reset for all users as a precautionary measure, particularly those with 2FA enabled (the 2FA was providing false security). (5) Monitor for any indicators of compromise in collaborative documents, particularly those marked sensitive. (6) For self-hosted instances, apply the patch from the official CryptPad repository immediately. Workarounds are not recommended as they do not address the fundamental authentication bypass - patching is essential. Verify patch application by testing 2FA enforcement with URL-encoded path parameters to confirm the bypass is closed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today