Vulnerability Description
The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling a user account with a lower user ID can update their email address to that of another user with a higher user ID without proper verification. This results in the victim's email being reassigned to the attacker's account, causing the victim to be locked out immediately and unable to log in. The vulnerability leads to denial of service via account lockout but does not grant the attacker direct access to the victim's private data.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openml | Openml.Org | <= 2.0.20241110 |
Related Weaknesses (CWE)
References
- https://github.com/openmlProduct
- https://github.com/openml/openml.orgProduct
- https://github.com/openml/openml.org/security/advisories/GHSA-87c5-mc8v-xf7rExploitVendor Advisory
FAQ
What is CVE-2025-55795?
CVE-2025-55795 is a vulnerability with a CVSS score of 3.5 (LOW). The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling...
How severe is CVE-2025-55795?
CVE-2025-55795 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55795?
Check the references section above for vendor advisories and patch information. Affected products include: Openml Openml.Org.