CVE-2025-54573
📋 TL;DR
CVAT versions 1.1.0 through 2.41.0 do not enforce email verification when using Basic HTTP Authentication, allowing attackers to create accounts with fake email addresses and use the system as verified users. This vulnerability enables bot signups and unauthorized access to annotation features. All CVAT deployments using Basic HTTP Authentication within the affected version range are impacted.
💻 Affected Systems
- CVAT (Computer Vision Annotation Tool)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Mass bot account creation leading to resource exhaustion, unauthorized access to sensitive annotation data, and potential data manipulation or exfiltration.
Likely Case
Unauthorized users creating accounts to access annotation tools, potentially contaminating training datasets or accessing proprietary annotation work.
If Mitigated
Limited impact with proper network segmentation and monitoring, though unauthorized account creation could still occur.
🎯 Exploit Status
Exploitation requires no authentication and involves simple account creation with fake email addresses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.42.0 and later
Vendor Advisory: https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q
Restart Required: Yes
Instructions:
1. Update CVAT to version 2.42.0 or later. 2. Restart the CVAT service. 3. Verify email verification is now enforced for Basic HTTP Authentication.
🔧 Temporary Workarounds
Disable User Registration
allPrevent new account creation entirely to block exploitation.
Set CVAT configuration to disable registration (specific command depends on deployment method)
Use Alternative Authentication
allSwitch from Basic HTTP Authentication to OAuth, SAML, or other authentication methods that enforce email verification.
Configure CVAT to use OAuth/SAML instead of Basic HTTP Authentication
🧯 If You Can't Patch
- Implement network-level controls to restrict CVAT access to trusted IP addresses only.
- Enable detailed logging for account creation events and monitor for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check CVAT version via web interface or configuration files. If version is between 1.1.0 and 2.41.0 and using Basic HTTP Authentication, it is vulnerable.Check Version:
docker exec cvat_server python manage.py --version (for Docker deployments) or check CVAT configuration filesVerify Fix Applied:
After updating to 2.42.0+, attempt to create an account with a fake email using Basic HTTP Authentication. Creation should fail or require email verification.📡 Detection & Monitoring
Log Indicators:
- Multiple account creation events from single IP
- Account creations with suspicious email patterns
- Failed email verification attempts
Network Indicators:
- Unusual spikes in registration traffic
- Traffic from known bot IP ranges to registration endpoints
SIEM Query:
source="cvat" event_type="user_registration" | stats count by src_ip | where count > 5