CVE-2025-55796

Published: Nov 18, 2025

Modified: Nov 18, 2025

PUBLISHED

Description

The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as "%d %H:%M:%S" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/openml

https://github.com/openml/openml.org

https://github.com/openml/openml.org/security/advisories/GHSA-xfjh-gf9p-8qr6

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-55796

Description

Affected Products

References