Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 pypi packages depend on vantage6 (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.11.0.
DescriptionGitHub Advisory
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.
AnalysisAI
Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing technology framework) that allows attackers with valid authenticated session access to brute-force user passwords through the change password endpoint without rate limiting or account lockout protections. An attacker can enumerate passwords infinitely by calling the password change route repeatedly, receiving detailed error messages indicating password correctness. The vulnerability affects vantage6 versions prior to 4.11 and carries a CVSS score of 9.8 (critical severity).
Technical ContextAI
vantage6 is a federated learning framework that manages privacy-enhancing technologies and multi-party computation. The vulnerability exists in the password change functionality endpoint, which implements CWE-307 (Improper Restriction of Rendered UI Layers or Frames) classified as insufficient authentication mechanism controls. The root cause is the absence of rate limiting, CAPTCHA protection, account lockout policies, or exponential backoff mechanisms on the password change API endpoint. This allows attackers with a valid session token (obtained through compromise, social engineering, or session fixation) to systematically test password candidates by monitoring the API response messages that leak information about password validity. The endpoint fails to implement standard brute-force protections such as: (1) limiting authentication attempts per session/IP, (2) enforcing progressive delays between attempts, (3) temporarily locking accounts after failed attempts, or (4) requiring additional verification (TOTP, email confirmation) for password changes.
RemediationAI
IMMEDIATE ACTIONS: (1) Upgrade to vantage6 version 4.11 or later—this is the primary remediation confirmed in the CVE description. (2) For organizations unable to immediately patch: implement rate limiting at reverse proxy/API gateway level (e.g., nginx, AWS WAF, Cloudflare) restricting password change endpoint to 5 attempts per IP/session per 15 minutes; (3) Enable account lockout after 5-10 failed password change attempts with 30-minute lockout duration; (4) Require secondary verification (email confirmation token, TOTP) for password changes; (5) Monitor API logs for repeated failed password change attempts and alert on suspicious patterns; (6) Force password reset for all users post-incident if breach is suspected; (7) Review session token expiration policies—reduce session timeout to 1-4 hours maximum; (8) Implement request signing/CSRF tokens on password change endpoints; (9) Log and audit all password change activities with IP source tracking. VENDOR PATCH: Update to vantage6 4.11+ which includes explicit rate limiting and account lockout controls on authentication endpoints.
vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, a
Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administr
Improper access control in vantage6 nodes prior to version 5.0.0 allows malicious algorithm containers to read input and
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18202
GHSA-j6g5-p62x-58hw