CVE-2025-25206

eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including login token or other content stored in the database. This could lead to privilege escalation if cookies are enabled (default setting). Users must upgrade to eLabFTW version 5.1.15 to receive a fix. No known workarounds are available.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/elabftw/elabftw/releases/tag/5.1.15	Release Notes
https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*

History

18 Aug 2025, 18:23

Type	Values Removed	Values Added
First Time		Elabftw Elabftw elabftw
CPE		cpe:2.3:a:elabftw:elabftw::::::::
References	~~() https://github.com/elabftw/elabftw/releases/tag/5.1.15 -~~	() https://github.com/elabftw/elabftw/releases/tag/5.1.15 - Release Notes
References	~~() https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg -~~	() https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg - Vendor Advisory
Summary		(es) eLabFTW es un cuaderno de laboratorio electrónico de código abierto para laboratorios de investigación. Antes de la versión 5.1.15, una validación de entrada incorrecta podía permitir que un usuario autenticado leyera información confidencial, incluido el token de inicio de sesión u otro contenido almacenado en la base de datos. Esto podía provocar una escalada de privilegios si se habilitaban las cookies (configuración predeterminada). Los usuarios deben actualizar a la versión 5.1.15 de eLabFTW para recibir una solución. No se conocen workarounds.

14 Feb 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-14 17:15

Updated : 2025-08-18 18:23

NVD link : CVE-2025-25206

Mitre link : CVE-2025-25206

CVE.ORG link : CVE-2025-25206

JSON object : View

Products Affected

elabftw

elabftw

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.3 /10