CVE-2025-54573: CVAT Unverified Email Vulnerability Leads to Potential Abuse

CVAT (Computer Vision Annotation Tool) is a popular open-source tool for labeling images and videos. A vulnerability has been identified in CVAT versions prior to 2.42.0 which allows users to create accounts without proper email verification, potentially leading to system abuse.

Vulnerability Details

• CVE ID: CVE-2025-54573
• Description: CVAT versions 1.1.0 through 2.41.0 did not enforce email verification when using Basic HTTP Authentication. This allowed attackers to create accounts using fake email addresses and utilize the product as verified users.
• CVSS Score: 4.3 (Medium)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
• CVSS Explanation: A network-based attacker with low privileges can cause a limited denial of service without any user interaction. The lack of email verification makes the system vulnerable to bot signups and potential resource exhaustion.
• Exploit Requirements: An attacker only needs network access to the CVAT instance and the ability to create new user accounts.
• Affected Vendor: CVAT.ai
• Affected Product: CVAT
• Affected Versions: 1.1.0 through 2.41.0
• CWE: CWE-287 - Improper Authentication. This means the system does not adequately verify the identity of the user attempting to access the system, allowing for unauthorized access or actions.

Timeline of Events

• Reported: Unknown
• Fixed: Included in CVAT 2.42.0
• CVE Published: 2025-07-30

Exploitability & Real-World Risk

The lack of email verification allows attackers to create multiple accounts, potentially overwhelming system resources, conducting spam campaigns, or using the platform for malicious purposes disguised as legitimate users. If CVAT is integrated with other systems or services, unverified accounts could potentially be leveraged to gain unauthorized access or perform malicious actions in those connected environments.

Recommendations

• Upgrade: Upgrade to CVAT version 2.42.0 or later.
• Disable Registration (Enterprise): CVAT Enterprise customers can disable registration to prevent this issue.
• Monitor Account Creation: Monitor for suspicious account creation activity, such as a high volume of signups from the same IP address or with similar usernames.

Technical Insight

The vulnerability stems from the fact that the application did not require a valid, verified email address during account registration when using Basic HTTP Authentication. This missing check allowed anyone to create an account using any email address, without proving ownership of the address. While Basic Authentication is less common it should have proper email verification enabled as well.

Credit to Researcher(s)

GitHub Security Advisory.

References

• CVAT Commit Fix
• GitHub Security Advisory

Tags

CVE-2025-54573, CVAT, Email Verification, Security Vulnerability, Computer Vision, Annotation Tool

Summary: CVAT versions prior to 2.42.0 allow users to create accounts without email verification, potentially leading to abuse. Upgrade to the latest version or disable registration.

CVE ID: CVE-2025-54573

Risk Analysis: Lack of email verification allows abuse of the CVAT platform, including spam, resource exhaustion, and potential unauthorized access if integrated with other systems.

Recommendation: Upgrade to CVAT version 2.42.0 or later, or disable registration for Enterprise customers. Monitor account creation for suspicious activity.

Timeline

• 2025-07-30: CVE Published

References

• https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2
• https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q