OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.

AI Analysis

Unvalidated username in password reset workflow allows account takeover

Basic Information

ID CVE-2025-66225

Source GitHub_M

Published Nov 29, 2025 at 03:05

Affected Product

Vendor orangehrm

Product orangehrm

Version >= 5.0, < 5.8

Affected Versions orangehrm orangehrm >= 5.0, < 5.8

CWE Classification

CWE-20 CWE-345

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor OrangeHRM

Product OrangeHRM

Version 5.0-5.7

References

github.com /orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263

{
    "lastseen": "",
    "description": "OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.",
    "published": "2025-11-29T03:05:46.498Z",
    "modified": "2025-11-29T03:05:46.498Z",
    "type": "cve",
    "title": "OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in Password Reset Workflow",
    "source": "GitHub_M",
    "references": "https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263",
    "id": "CVE-2025-66225",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-345"
    ],
    "cvelist": null,
    "sourceData": "orangehrm orangehrm >= 5.0, < 5.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "orangehrm",
    "version": ">= 5.0, < 5.8",
    "vendor": "orangehrm",
    "ai_description": "Unvalidated username in password reset workflow allows account takeover",
    "ai_severity": "High",
    "ai_vendor": "OrangeHRM",
    "ai_product": "OrangeHRM",
    "ai_version": "5.0-5.7",
    "ai_score": 8.7
}

OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in Password Reset Workflow_CVE-2025-66225