CVE-2025-54791
📋 TL;DR
This vulnerability in OMERO.web's password reset functionality allows information disclosure about users when password reset errors occur. Attackers can determine whether specific usernames/email addresses exist in the system, facilitating targeted attacks. All OMERO.web instances prior to version 5.29.2 with the Forgot Password feature enabled are affected.
💻 Affected Systems
- OMERO.web
📦 What is this software?
Omero Web by Openmicroscopy
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate valid user accounts, then conduct targeted phishing, credential stuffing, or brute force attacks against identified users, potentially leading to account compromise.
Likely Case
Attackers discover valid usernames/email addresses, enabling more effective social engineering or targeted attacks against specific users.
If Mitigated
Limited to information disclosure only - no direct system compromise or data exfiltration beyond user enumeration.
🎯 Exploit Status
Exploitation requires no authentication and involves simple HTTP requests to trigger password reset errors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.29.2
Vendor Advisory: https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r
Restart Required: Yes
Instructions:
1. Backup current OMERO.web configuration. 2. Upgrade to OMERO.web version 5.29.2 or later. 3. Restart OMERO.web service. 4. Verify the fix by testing password reset functionality.
🔧 Temporary Workarounds
Disable Forgot Password Feature
allDisable the vulnerable password reset functionality in OMERO.web configuration
Set omero.web.show_forgot_password = False in OMERO.web configuration file
🧯 If You Can't Patch
- Implement rate limiting on password reset requests to prevent automated enumeration
- Deploy web application firewall rules to detect and block suspicious password reset patterns
🔍 How to Verify
Check if Vulnerable:
Check OMERO.web version and test password reset with invalid username - if error message reveals user existence, system is vulnerable.Check Version:
Check OMERO.web version in web interface or via omero version commandVerify Fix Applied:
After patching, test password reset with invalid username - should return generic error message without user information.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts for different usernames
- Unusual patterns of password reset requests
Network Indicators:
- High volume of POST requests to password reset endpoint
- Sequential username/email enumeration patterns
SIEM Query:
source="omero-web" AND (message="password reset" OR message="forgot password") AND status="error" | stats count by src_ip, username