ghsa-qmg5-v42x-qqhq
Vulnerability from github
Published
2025-12-08 17:56
Modified
2025-12-09 19:19
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
1Panel – CAPTCHA Bypass via Client-Controlled Flag
Details

Summary

A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO).

Details

The /api/login endpoint accepts a boolean field named ignoreCaptcha directly from the client request body:

"ignoreCaptcha": true

The backend implementation uses this value to determine whether CAPTCHA validation should be performed:

``` if !req.IgnoreCaptcha { if errMsg := captcha.VerifyCode(req.CaptchaID, req.Captcha); errMsg != "" { helper.BadAuth(c, errMsg, nil) return } }

```

Because req.IgnoreCaptcha is taken directly from user input—with no server-side validation, no session binding, and no privilege checks—any unauthenticated attacker can force CAPTCHA validation to be skipped.

There are no additional conditions, such as:

no requirement for MFA

no trusted device

no IP reputation checks

no prior valid session

no rate limiting

This results in CAPTCHA being entirely client-controlled, which violates fundamental authentication and anti-automation security assumptions.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/1Panel-dev/1Panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/1Panel-dev/1Panel/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20251128030527-ac43f00273be"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-602",
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T17:56:27Z",
    "nvd_published_at": "2025-12-09T16:18:19Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO).\n\n### Details\n\nThe /api/login endpoint accepts a boolean field named ignoreCaptcha directly from the client request body:\n\n`\"ignoreCaptcha\": true`\n\n\nThe backend implementation uses this value to determine whether CAPTCHA validation should be performed:\n\n```\nif !req.IgnoreCaptcha {\n    if errMsg := captcha.VerifyCode(req.CaptchaID, req.Captcha); errMsg != \"\" {\n        helper.BadAuth(c, errMsg, nil)\n        return\n    }\n}\n\n```\n\nBecause req.IgnoreCaptcha is taken directly from user input\u2014with no server-side validation, no session binding, and no privilege checks\u2014any unauthenticated attacker can force CAPTCHA validation to be skipped.\n\nThere are no additional conditions, such as:\n\nno requirement for MFA\n\nno trusted device\n\nno IP reputation checks\n\nno prior valid session\n\nno rate limiting\n\nThis results in CAPTCHA being entirely client-controlled, which violates fundamental authentication and anti-automation security assumptions.",
  "id": "GHSA-qmg5-v42x-qqhq",
  "modified": "2025-12-09T19:19:10Z",
  "published": "2025-12-08T17:56:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-qmg5-v42x-qqhq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66507"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1Panel-dev/1Panel/commit/ac43f00273be745f8d04b90b6e2b9c1a40ef7bca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/1Panel-dev/1Panel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "1Panel \u2013 CAPTCHA Bypass via Client-Controlled Flag "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.