CVE-2025-22144
📋 TL;DR
This vulnerability in NamelessMC allows attackers with admincp.core.emails or admincp.users.edit permissions to reset user passwords and take over accounts. When accounts are manually validated by privileged users, the password reset code becomes empty instead of NULL, enabling unauthorized password resets. All NamelessMC installations below version 2.1.3 are affected.
💻 Affected Systems
- NamelessMC
📦 What is this software?
Nameless by Namelessmc
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user by privileged insiders or compromised admin accounts, leading to data theft, privilege escalation, and potential server compromise.
Likely Case
Privileged users abusing their permissions to reset passwords and hijack accounts of other users, particularly targeting administrators or moderators.
If Mitigated
Limited to authorized administrators with specific permissions, but still represents a significant insider threat vector.
🎯 Exploit Status
Exploitation requires authenticated access with specific admin permissions. The vulnerability is straightforward to exploit once the attacker has the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.3
Vendor Advisory: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download NamelessMC v2.1.3 from the official GitHub releases. 3. Replace all files except the 'uploads' directory and 'core/config.php'. 4. Clear your browser cache and test functionality.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Immediately revoke admincp.core.emails and admincp.users.edit permissions from all non-essential users
- Implement strict monitoring of admin account activity and password reset logs
🔍 How to Verify
Check if Vulnerable:
Check your NamelessMC version by viewing the footer on any admin page or checking the 'core/version.php' file. If version is below 2.1.3, you are vulnerable.Check Version:
cat core/version.php | grep '\$version'Verify Fix Applied:
After upgrading, verify the version shows 2.1.3 in the admin interface footer and test that password reset functionality works correctly.📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for different users from same admin account
- Unusual password reset activity from admin accounts
- Password reset attempts with empty reset codes
Network Indicators:
- HTTP requests to /nameless/index.php?route=/forgot_password/&c= with empty or manipulated parameters
SIEM Query:
source="nameless_logs" AND (uri_path="/forgot_password" AND query_string="c=") OR (event_type="password_reset" AND admin_user!=null)