CVE-2025-65781 – This vulnerability in Wekan allows attackers to... (How to Fix)

Q: What is the severity of CVE-2025-65781?

CVE-2025-65781 has a CVSS score of 8.2 (HIGH). This vulnerability in Wekan allows attackers to cause application-layer denial of service (DoS) by sending any non-empty Authorization bearer token to the attachment upload API. The system incorrectly treats the token as a user ID and enters a non-terminating processing loop, consuming server resources. All Wekan instances up to version 18.15 are affected.

📋 TL;DR

This vulnerability in Wekan allows attackers to cause application-layer denial of service (DoS) by sending any non-empty Authorization bearer token to the attachment upload API. The system incorrectly treats the token as a user ID and enters a non-terminating processing loop, consuming server resources. All Wekan instances up to version 18.15 are affected.

💻 Affected Systems

Products:

Wekan

Versions: All versions up to 18.15

Operating Systems: All platforms running Wekan

Default Config Vulnerable: ⚠️ Yes

Notes: All Wekan deployments using the vulnerable attachment upload API are affected regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially combined with identity spoofing if other vulnerabilities exist in the affected code path.

🟠

Likely Case

Application-layer DoS causing service degradation or unavailability for legitimate users.

🟢

If Mitigated

Minimal impact if patched or if rate limiting and proper authentication controls are in place.

🌐 Internet-Facing: HIGH - Exploitation requires only HTTP requests with any non-empty bearer token, making internet-facing instances highly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; insider threats or compromised internal systems could exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - any HTTP request with a non-empty Authorization bearer header to the vulnerable endpoint triggers the issue. No authentication or special knowledge required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.16

Vendor Advisory: https://wekan.fi/hall-of-fame/spacebleed/

Restart Required: Yes

Instructions:

1. Backup your Wekan data and configuration. 2. Update Wekan to version 18.16 or later using your deployment method (Docker, Snap, etc.). 3. Restart the Wekan service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on the attachment upload API endpoint to prevent DoS attacks

# Configure rate limiting in your reverse proxy (nginx example):
location /api/attachments {
    limit_req zone=api burst=5 nodelay;
    proxy_pass http://wekan:8080;
}

API Endpoint Restriction

all

Restrict access to the attachment upload API to authenticated users only via web application firewall or reverse proxy rules

# Example nginx rule to require valid authentication:
location /api/attachments {
    auth_request /auth;
    proxy_pass http://wekan:8080;
}

🧯 If You Can't Patch

Implement strict rate limiting and request validation on the attachment upload endpoint
Deploy a web application firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Wekan version is 18.15 or earlier. Attempt to send a POST request to /api/attachments with any non-empty Authorization bearer header and observe if the request hangs or causes high resource usage.

Check Version:

docker exec wekan-app node -e "console.log(require('/app/programs/server/npm/node_modules/wekan/package.json').version)"

Verify Fix Applied:

After updating to 18.16+, verify that requests with invalid bearer tokens are properly rejected and do not cause resource exhaustion.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts on /api/attachments endpoint
Unusually long request processing times for attachment uploads
High CPU/memory usage spikes correlated with API requests

Network Indicators:

High volume of requests to /api/attachments with various Authorization headers
Requests with malformed or placeholder bearer tokens

SIEM Query:

source="wekan" AND (uri_path="/api/attachments" AND http_method="POST") | stats count by src_ip, authorization_header | where count > threshold

📊 Metadata

CVE ID: CVE-2025-65781

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-287

EPSS Score: 0.06% exploit probability (19th percentile)

Published: December 15, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/wekan/wekan Product
https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release Release Notes
https://github.com/wekan/wekan/commit/ccd90343394f433b287733ad0a33c08e0a71f53c Patch
https://wekan.fi/hall-of-fame/spacebleed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65781, you might also want to check these: