Passy
CVE-2025-67397
CRITICAL
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An issue in Passy v.1.6.3 allows a remote authenticated attacker to execute arbitrary commands via a crafted HTTP request using a specific payload injection.
AnalysisAI
Passy v1.6.3 password manager allows authenticated administrators to execute arbitrary OS commands via crafted HTTP requests. The scope change from application to OS makes this critical despite requiring high privileges.
Technical ContextAI
An authenticated admin can inject commands through a specific HTTP request parameter (CWE-77). The scope change indicates command execution breaks out of the Passy application to the host OS. Compromising a password manager's host server exposes all stored credentials.
RemediationAI
Update Passy when a patch is available. Restrict admin access. Monitor for unusual HTTP requests to the Passy server.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today