CVE-2025-63800 – This vulnerability allows authenticated users t... (How to Fix)

Q: What is the severity of CVE-2025-63800?

CVE-2025-63800 has a CVSS score of 7.5 (HIGH). This vulnerability allows authenticated users to set their account password to an empty string via the password change endpoint in Open Source Point of Sale 3.4.1. This disables authentication and could enable unauthorized access to user or administrative accounts. All installations running the affected version are vulnerable.

📋 TL;DR

This vulnerability allows authenticated users to set their account password to an empty string via the password change endpoint in Open Source Point of Sale 3.4.1. This disables authentication and could enable unauthorized access to user or administrative accounts. All installations running the affected version are vulnerable.

💻 Affected Systems

Products:

Open Source Point of Sale

Versions: 3.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with password change functionality enabled and accessible to authenticated users.

📦 What is this software?

Open Source Point Of Sale by Opensourcepos

View all CVEs affecting Open Source Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access, compromise the entire POS system, steal sensitive data, manipulate transactions, or deploy ransomware.

🟠

Likely Case

Malicious users or compromised accounts disable authentication on their own or other accounts, leading to unauthorized access and potential data theft.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to isolated systems with quick detection of suspicious password changes.

🌐 Internet-Facing: HIGH - Internet-facing installations are directly accessible to attackers who can exploit this after obtaining any valid credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts can still exploit this, but external access requires initial internal foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial once credentials are obtained. Public proof-of-concept exists in the GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://opensourcepos.org/

Restart Required: No

Instructions:

1. Monitor official Open Source POS channels for security updates. 2. Apply patch when available. 3. Verify password validation is enforced server-side.

🔧 Temporary Workarounds

Implement server-side password validation

all

Add server-side validation to reject empty passwords in password change requests

Modify password change endpoint code to validate password length > 0

Disable password change functionality

all

Temporarily disable the password change endpoint until patch is available

Comment out or remove password change route in application code

🧯 If You Can't Patch

Implement network segmentation to restrict access to POS system
Enable detailed logging of all password change attempts and monitor for empty password submissions

🔍 How to Verify

Check if Vulnerable:

Attempt to change password with empty string via API/web interface. If successful without error, system is vulnerable.

Check Version:

Check application version in admin panel or via 'php index.php' if CLI accessible

Verify Fix Applied:

Attempt same empty password change - should receive validation error and password should not change.

📡 Detection & Monitoring

Log Indicators:

Password change requests with empty password parameters
Successful password changes followed by failed login attempts

Network Indicators:

HTTP POST requests to password change endpoint with empty password fields

SIEM Query:

source="web_logs" AND (uri_path="/password/change" OR uri_path LIKE "%/password_change") AND (password="" OR repeat_password="")

📊 Metadata

CVE ID: CVE-2025-63800

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-521

EPSS Score: 0.29% exploit probability (52.3th percentile)

Published: November 18, 2025

Last Updated: December 19, 2025

🔗 References

https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800 Exploit,Third Party Advisory
https://github.com/opensourcepos/opensourcepos Product
https://opensourcepos.org/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63800, you might also want to check these: