Evmapa
CVE-2025-54816
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
AnalysisAI
A WebSocket endpoint lacks proper authentication, allowing unauthenticated users to connect and interact with real-time data streams and server-side functionality.
Technical ContextAI
The WebSocket endpoint does not enforce authentication (CWE-306), allowing any client to establish a WebSocket connection and interact with the server's real-time functionality without credentials.
RemediationAI
Implement WebSocket authentication (token-based or session-based). Validate credentials on connection establishment.
This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An
This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charg
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today