CVE-2021-25965
📋 TL;DR
Calibre-web versions 0.6.0 to 0.6.13 contain a CSRF vulnerability that allows attackers to create admin accounts with attacker-controlled credentials. This affects all users running vulnerable versions, particularly those with internet-facing instances. An authenticated user clicking a malicious link could lead to complete application takeover.
💻 Affected Systems
- Calibre-web
📦 What is this software?
Calibre Web by Janeczku
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Calibre-web instance with attacker creating admin accounts, accessing/modifying all library content, and potentially using the server as a foothold for further attacks.
Likely Case
Attacker creates backdoor admin account, gains full control over the Calibre-web application, and can modify/delete library content or use the server for other malicious purposes.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to the Calibre-web application only, with no lateral movement possible.
🎯 Exploit Status
Exploitation requires an authenticated user to click a malicious link. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.14 and later
Vendor Advisory: https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e
Restart Required: Yes
Instructions:
1. Backup your Calibre-web configuration and database. 2. Update to version 0.6.14 or later using your package manager or by downloading from GitHub. 3. Restart the Calibre-web service. 4. Verify the update was successful.
🔧 Temporary Workarounds
CSRF Token Implementation
allManually add CSRF protection to user creation endpoints if unable to patch immediately
Network Isolation
linuxRestrict Calibre-web access to trusted networks only
iptables -A INPUT -p tcp --dport [calibre-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [calibre-port] -j DROP
🧯 If You Can't Patch
- Isolate Calibre-web instance behind VPN or internal network only
- Implement web application firewall rules to block unauthorized user creation requests
🔍 How to Verify
Check if Vulnerable:
Check Calibre-web version in web interface or configuration files. If version is between 0.6.0 and 0.6.13 inclusive, system is vulnerable.Check Version:
Check web interface or grep version in configuration files: grep -i version /path/to/calibre-web/configVerify Fix Applied:
Verify version is 0.6.14 or later and test user creation functionality with CSRF attempts.📡 Detection & Monitoring
Log Indicators:
- Unexpected user creation events
- Admin account creation from unusual IP addresses
- Multiple failed login attempts followed by successful admin creation
Network Indicators:
- POST requests to /admin/user/new without proper referrer headers
- User creation requests from external IPs
SIEM Query:
source="calibre-web" AND (event="user_created" OR event="admin_created") | stats count by src_ip, user🔗 References
- https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965
- https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965
