CVE-2025-14567 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2025-14567?

CVE-2025-14567 has a CVSS score of 5.3 (MEDIUM). This CVE describes an authentication bypass vulnerability in haxxorsid Stock-Management-System that allows unauthenticated remote attackers to access the /api/employees endpoint. The vulnerability affects all versions up to commit fbbbf213e9c93b87183a3891f77e3cc7095f22b0, and the product is no longer maintained by the vendor.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in haxxorsid Stock-Management-System that allows unauthenticated remote attackers to access the /api/employees endpoint. The vulnerability affects all versions up to commit fbbbf213e9c93b87183a3891f77e3cc7095f22b0, and the product is no longer maintained by the vendor.

💻 Affected Systems

Products:

haxxorsid Stock-Management-System

Versions: All versions up to commit fbbbf213e9c93b87183a3891f77e3cc7095f22b0

Operating Systems: Any OS running the application

Default Config Vulnerable: ⚠️ Yes

Notes: This product uses rolling releases, so specific version numbers are not available. The product is no longer supported by the maintainer.

📦 What is this software?

Stock Management System by Haxxorsid

View all CVEs affecting Stock Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive employee data, modify inventory records, or disrupt business operations through unauthorized API access.

🟠

Likely Case

Unauthorized access to employee information and potential data exfiltration from the stock management system.

🟢

If Mitigated

If proper authentication controls are implemented, the endpoint would reject unauthenticated requests, preventing unauthorized access.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and a public exploit exists.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories. The vulnerability requires no authentication to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch is available since the product is no longer maintained. Consider migrating to a supported alternative.

🔧 Temporary Workarounds

Implement API Authentication

all

Add authentication middleware to the /api/employees endpoint to require valid credentials

# Modify the API endpoint to include authentication checks
# Example for Node.js/Express:
app.use('/api/employees', authenticateMiddleware);

Network Access Control

linux

Restrict access to the API endpoint using firewall rules or network segmentation

# Example iptables rule to restrict access:
iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP

🧯 If You Can't Patch

Deploy a web application firewall (WAF) with rules to block unauthenticated access to /api/employees
Isolate the system in a separate network segment with strict access controls

🔍 How to Verify

Check if Vulnerable:

Test if you can access http://[system_ip]/api/employees without authentication. If it returns data without login, the system is vulnerable.

Check Version:

Check the git commit hash: git log --oneline -1

Verify Fix Applied:

Attempt to access the /api/employees endpoint without authentication. It should return an authentication error (401) or redirect to login.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /api/employees endpoint
Multiple failed authentication attempts followed by successful API access

Network Indicators:

Unusual traffic patterns to /api/employees from external IPs
API requests without authentication headers

SIEM Query:

source="web_logs" AND uri="/api/employees" AND (NOT auth_token EXISTS OR auth_token="")

📊 Metadata

CVE ID: CVE-2025-14567

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-287

EPSS Score: 0.38% exploit probability (59th percentile)

Published: December 12, 2025

Last Updated: December 23, 2025

🔗 References

https://github.com/ixpqxi/CVE_LIST/blob/master/stock_management_system/access_control_vulnerability.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.336191 Permissions Required,VDB Entry
https://vuldb.com/?id.336191 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.703879 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14567, you might also want to check these: