CVE-2025-47776
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
Description
Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. [1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782 ### Impact On MantisBT instances configured to use the *MD5* login method, user accounts having a password hash evaluating to zero (i.e. matching regex `^0+[Ee][0-9]+$`) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example `comito5` (0e579603064547166083907005281618). No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack. ### Patches * https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2 ### Workarounds Check the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL: ```sql SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$' ``` ### References - https://mantisbt.org/bugs/view.php?id=35967 ### Credits Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.
How to fix CVE-2025-47776
To remediate CVE-2025-47776, upgrade the affected package to a fixed version below.
- —upgrade to 2.27.2 or later
Is CVE-2025-47776 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.27.2