CVE-2025-43863 LOW

CVE-2025-43863: vantage6 lacks brute-force protection on change password functionality

Vendor Vantage6
Product vantage6
Weakness CWE-307 · Brute force
Published June 12, 2025
Last update June 12, 2025

CVSS base score

1.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.

Key dates

02Disclosure timeline

June 12, 2025 CVE published
June 12, 2025 Record updated