CVE-2025-54305 — HIGH (7.8)

Vulnerability Description

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Thermofisher	Torrent Suite Software	5.18.1

Related Weaknesses (CWE)

CWE-290

References

https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-ProductRelease Notes
https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2Vendor Advisory
https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-Product

FAQ

What is CVE-2025-54305?

CVE-2025-54305 is a vulnerability with a CVSS score of 7.8 (HIGH). An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if t...

How severe is CVE-2025-54305?

CVE-2025-54305 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-54305?

Check the references section above for vendor advisories and patch information. Affected products include: Thermofisher Torrent Suite Software.