CVE-2025-0403 – This vulnerability in reggie 1.0 allows remote ... (How to Fix)

Q: What is the severity of CVE-2025-0403?

CVE-2025-0403 has a CVSS score of 5.3 (MEDIUM). This vulnerability in reggie 1.0 allows remote attackers to obtain sensitive information by manipulating the 'code' parameter in the phone number validation handler. It affects systems running the vulnerable version of reggie with the /user/sendMsg endpoint exposed.

📋 TL;DR

This vulnerability in reggie 1.0 allows remote attackers to obtain sensitive information by manipulating the 'code' parameter in the phone number validation handler. It affects systems running the vulnerable version of reggie with the /user/sendMsg endpoint exposed.

💻 Affected Systems

Products:

reggie

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Phone Number Validation Handler component at /user/sendMsg endpoint.

📦 What is this software?

Reggie by 1902756969

View all CVEs affecting Reggie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive user data, authentication tokens, or system information, potentially leading to account compromise or further attacks.

🟠

Likely Case

Information disclosure of validation codes or user data, which could facilitate social engineering or account takeover attempts.

🟢

If Mitigated

Limited impact with proper input validation and access controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub issues, making this easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

Monitor the GitHub repository for updates. Consider implementing input validation and sanitization for the 'code' parameter.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for the 'code' parameter to prevent information disclosure.

Access Restriction

all

Restrict access to the /user/sendMsg endpoint using network controls or authentication.

🧯 If You Can't Patch

Implement WAF rules to block suspicious requests to /user/sendMsg
Monitor logs for unusual access patterns to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if reggie 1.0 is installed and the /user/sendMsg endpoint is accessible.

Check Version:

Check application configuration or package manager for reggie version.

Verify Fix Applied:

Test the endpoint with malformed 'code' parameters to ensure no information is disclosed.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /user/sendMsg with manipulated parameters
Error responses containing sensitive data

Network Indicators:

HTTP requests to /user/sendMsg with unusual 'code' parameter values

SIEM Query:

source="web_logs" AND uri_path="/user/sendMsg" AND (param_code="*" OR response_size>normal)

📊 Metadata

CVE ID: CVE-2025-0403

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.1% exploit probability (26.7th percentile)

Published: January 13, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/1902756969/reggie/issues/3 Not Applicable
https://github.com/1902756969/reggie/issues/3#issue-2765587336 Not Applicable
https://vuldb.com/?ctiid.291278 Permissions Required,VDB Entry
https://vuldb.com/?id.291278 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.473325 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0403, you might also want to check these: