EUVD-2025-18202
GHSA-j6g5-p62x-58hw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.
Analysis
Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing technology framework) that allows attackers with valid authenticated session access to brute-force user passwords through the change password endpoint without rate limiting or account lockout protections. An attacker can enumerate passwords infinitely by calling the password change route repeatedly, receiving detailed error messages indicating password correctness. The vulnerability affects vantage6 versions prior to 4.11 and carries a CVSS score of 9.8 (critical severity).
Technical Context
vantage6 is a federated learning framework that manages privacy-enhancing technologies and multi-party computation. The vulnerability exists in the password change functionality endpoint, which implements CWE-307 (Improper Restriction of Rendered UI Layers or Frames) classified as insufficient authentication mechanism controls. The root cause is the absence of rate limiting, CAPTCHA protection, account lockout policies, or exponential backoff mechanisms on the password change API endpoint. This allows attackers with a valid session token (obtained through compromise, social engineering, or session fixation) to systematically test password candidates by monitoring the API response messages that leak information about password validity. The endpoint fails to implement standard brute-force protections such as: (1) limiting authentication attempts per session/IP, (2) enforcing progressive delays between attempts, (3) temporarily locking accounts after failed attempts, or (4) requiring additional verification (TOTP, email confirmation) for password changes.
Affected Products
vantage6 versions prior to 4.11 are affected. Specific affected versions likely include: 4.10.x, 4.9.x, 4.8.x and earlier. The vulnerability requires: (1) vantage6 API service running and internet-accessible or accessible to attacker within network, (2) Attacker possessing valid authenticated session token/credentials, (3) User accounts with predictable or weak passwords. CPE designation would be: cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:* (versions <4.11). Affected deployments include academic institutions, healthcare organizations, and financial institutions using vantage6 for federated learning research and production systems.
Remediation
IMMEDIATE ACTIONS: (1) Upgrade to vantage6 version 4.11 or later—this is the primary remediation confirmed in the CVE description. (2) For organizations unable to immediately patch: implement rate limiting at reverse proxy/API gateway level (e.g., nginx, AWS WAF, Cloudflare) restricting password change endpoint to 5 attempts per IP/session per 15 minutes; (3) Enable account lockout after 5-10 failed password change attempts with 30-minute lockout duration; (4) Require secondary verification (email confirmation token, TOTP) for password changes; (5) Monitor API logs for repeated failed password change attempts and alert on suspicious patterns; (6) Force password reset for all users post-incident if breach is suspected; (7) Review session token expiration policies—reduce session timeout to 1-4 hours maximum; (8) Implement request signing/CSRF tokens on password change endpoints; (9) Log and audit all password change activities with IP source tracking. VENDOR PATCH: Update to vantage6 4.11+ which includes explicit rate limiting and account lockout controls on authentication endpoints.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today