CVE-2025-63529 – A session fixation vulnerability in Blood Bank ... (How to Fix)

Q: What is the severity of CVE-2025-63529?

CVE-2025-63529 has a CVSS score of 6.1 (MEDIUM). A session fixation vulnerability in Blood Bank Management System 1.0 allows attackers to hijack user sessions by setting session IDs before authentication. When victims log in, the system continues using the attacker's session ID instead of generating a new one, granting unauthorized access to victim accounts. This affects all users of the vulnerable system.

📋 TL;DR

A session fixation vulnerability in Blood Bank Management System 1.0 allows attackers to hijack user sessions by setting session IDs before authentication. When victims log in, the system continues using the attacker's session ID instead of generating a new one, granting unauthorized access to victim accounts. This affects all users of the vulnerable system.

💻 Affected Systems

Products:

Blood Bank Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the login.php component specifically. Any deployment of version 1.0 is vulnerable regardless of configuration.

📦 What is this software?

Blood Bank Management System by Shridharshukl

View all CVEs affecting Blood Bank Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to unauthorized access to sensitive blood bank data, potential data manipulation, and privilege escalation to administrative functions.

🟠

Likely Case

Attacker gains access to user accounts, views sensitive personal and medical information, and potentially modifies blood bank records.

🟢

If Mitigated

Limited impact with proper session management controls, but still presents authentication bypass risk.

🌐 Internet-Facing: HIGH - Web applications exposed to the internet are directly vulnerable to session fixation attacks from remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system, though external exposure increases risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and can be performed with basic web testing tools. The vulnerability is well-documented in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing custom fixes or migrating to a secure alternative system.

🔧 Temporary Workarounds

Session Regeneration on Login

all

Modify login.php to regenerate session ID after successful authentication

Edit login.php and add session_regenerate_id(true); after successful authentication check

Secure Session Configuration

all

Implement secure session handling with proper cookie attributes

session_set_cookie_params(['secure' => true, 'httponly' => true, 'samesite' => 'Strict']); session_start();

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block session fixation attempts
Isolate the system behind VPN or internal network only, removing internet exposure

🔍 How to Verify

Check if Vulnerable:

Test by setting a session cookie before login, then logging in and checking if the same session ID persists. Use browser developer tools or curl to manipulate cookies.

Check Version:

Check the system version in the web interface or review source code files for version indicators.

Verify Fix Applied:

After applying fixes, verify that session IDs change after successful login and that session cookies have secure attributes set.

📡 Detection & Monitoring

Log Indicators:

Multiple login attempts with same session ID
Session IDs that don't change after authentication
Unusual session creation patterns

Network Indicators:

HTTP requests with manipulated session cookies
Repeated authentication attempts with fixed session parameters

SIEM Query:

web_requests session_id=* AND auth_success=true | stats count by session_id | where count > 1

📊 Metadata

CVE ID: CVE-2025-63529

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-384

EPSS Score: 0.14% exploit probability (34.1th percentile)

Published: December 1, 2025

Last Updated: December 2, 2025

🔗 References

https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing Exploit,Third Party Advisory
https://github.com/Shridharshukl/Blood-Bank-Management-System Product
https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63529, you might also want to check these: