Login Sign Up

CVE-2025-6533

5.6 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication in novel-plus by replaying CAPTCHA tokens, potentially gaining unauthorized access to administrative functions. It affects novel-plus versions up to 5.1.3. The attack requires remote access but has high complexity.

💻 Affected Systems

Products:
  • xxyopen/201206030 novel-plus
Versions: Up to and including 5.1.3
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the CAPTCHA handler component in the login controller.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete administrative takeover of the novel-plus application, allowing attackers to modify content, access user data, or deploy further attacks.

🟠

Likely Case

Unauthorized access to administrative functions, potentially leading to data exposure or content manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploit disclosed publicly but requires specific timing and understanding of CAPTCHA replay attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version above 5.1.3 if released, or implement workarounds.

🔧 Temporary Workarounds

Implement CAPTCHA Token Expiry

all

Modify the CAPTCHA handler to enforce short-lived tokens (e.g., 30 seconds) and prevent reuse.

Modify novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java to add timestamp validation for CAPTCHA tokens.

Rate Limit Login Attempts

all

Implement IP-based rate limiting on login endpoints to reduce brute-force effectiveness.

Configure web server (e.g., nginx, Apache) or application firewall to limit requests to /ajaxLogin endpoint.

🧯 If You Can't Patch

  • Restrict access to the novel-plus admin interface using network ACLs or VPNs.
  • Monitor authentication logs for unusual login patterns or CAPTCHA bypass attempts.

🔍 How to Verify

Check if Vulnerable:

Check if novel-plus version is 5.1.3 or earlier by reviewing application configuration or version files.

Check Version:

Check application configuration files or database for version information; no standard command available.

Verify Fix Applied:

Test login functionality to ensure CAPTCHA tokens cannot be replayed and expire as expected.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts with reused CAPTCHA tokens
  • Successful logins from unusual IPs after CAPTCHA bypass

Network Indicators:

  • Unusual traffic patterns to /ajaxLogin endpoint
  • Rapid authentication requests

SIEM Query:

source="novel-plus" AND (event="login_failure" AND captcha_token_reused="true") OR (event="login_success" AND ip NOT IN trusted_ips)

📊 Metadata

CVE ID: CVE-2025-6533
CVSS v3 Score: 5.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-287
EPSS Score: 0.13% exploit probability (32.6th percentile)
Published: June 24, 2025
Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6533, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)