CVE-2025-60538
📋 TL;DR
CVE-2025-60538 is an authentication bypass vulnerability in shiori bookmark manager versions 1.7.4 and below. Attackers can brute force login credentials due to missing rate limiting on the login page. This affects all shiori instances with default configurations.
💻 Affected Systems
- shiori
📦 What is this software?
Shiori by Go Shiori
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to all bookmarks, potential data theft, and further system compromise if shiori is integrated with other services.
Likely Case
Successful brute force attacks against weak passwords, resulting in unauthorized access to user bookmarks and potential data exposure.
If Mitigated
Failed login attempts logged but no successful authentication without proper credentials.
🎯 Exploit Status
Exploitation requires only standard HTTP requests to the login endpoint. No special tools or knowledge needed beyond basic scripting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.5 or later
Vendor Advisory: https://github.com/go-shiori/shiori/issues/1138
Restart Required: Yes
Instructions:
1. Backup your shiori database. 2. Stop the shiori service. 3. Update to version 1.7.5 or later using your package manager or by downloading from GitHub. 4. Restart the shiori service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Web Application Firewall Rate Limiting
allImplement rate limiting at the web server or WAF level to restrict login attempts.
# Example nginx rate limiting
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req zone=login burst=10 nodelay;
Reverse Proxy Configuration
allConfigure a reverse proxy like nginx or Apache to enforce rate limiting before requests reach shiori.
# Apache mod_evasive example
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
🧯 If You Can't Patch
- Implement network-level controls to restrict access to shiori login page from trusted IPs only.
- Enforce strong password policies and enable multi-factor authentication if supported.
🔍 How to Verify
Check if Vulnerable:
Check shiori version. If version is 1.7.4 or below, the system is vulnerable. Test by attempting multiple rapid login requests and observing if they're all processed.Check Version:
shiori versionVerify Fix Applied:
After updating to 1.7.5+, attempt multiple rapid login requests. The system should now implement rate limiting and block or delay excessive attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP address in short time period
- Unusual login patterns outside normal business hours
Network Indicators:
- High volume of POST requests to /login endpoint
- Traffic patterns showing automated login attempts
SIEM Query:
source="shiori.log" AND "POST /login" | stats count by src_ip | where count > 10