CVE-2025-61604 Overview
CVE-2025-61604 is a Cross-Site Request Forgery (CSRF) vulnerability affecting WeGIA, an open source web manager designed for charitable institutions. The vulnerability exists in versions 3.4.12 and below, where the delete operation for the Almoxarifado entity is exposed via HTTP GET without proper CSRF protection. This allows a malicious third-party site to trigger destructive delete actions using an authenticated victim's session, potentially leading to unauthorized data deletion.
Critical Impact
Attackers can leverage this CSRF vulnerability to delete Almoxarifado records without authorization by tricking authenticated users into visiting a malicious webpage, causing data integrity issues for charitable organizations using WeGIA.
Affected Products
- WeGIA versions 3.4.12 and below
- WeGIA Almoxarifado module (AlmoxarifadoControle.php)
- WeGIA web manager deployments without CSRF token validation
Discovery Timeline
- October 2, 2025 - CVE-2025-61604 published to NVD
- October 7, 2025 - Last updated in NVD database
Technical Details for CVE-2025-61604
Vulnerability Analysis
This CSRF vulnerability stems from a fundamental design flaw in how WeGIA handles state-changing operations. The Almoxarifado (warehouse/inventory) module allows delete operations to be executed via HTTP GET requests without requiring any form of CSRF token validation. This violates secure coding principles that mandate state-changing operations use POST requests with anti-CSRF tokens.
When an authenticated administrator or user visits a malicious webpage while logged into WeGIA, the attacker-controlled page can include hidden image tags, iframes, or JavaScript that automatically sends GET requests to the vulnerable delete endpoint. Since the victim's browser automatically includes their valid session cookies with the request, the server processes the delete operation as if the legitimate user initiated it.
Root Cause
The root cause is the absence of CSRF token generation and validation in the AlmoxarifadoControle.php controller. The vulnerable code path directly processes delete requests without verifying that the request originated from a legitimate form submission within the application. Additionally, using HTTP GET for destructive operations violates REST principles and makes the vulnerability trivially exploitable.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must craft a malicious webpage containing requests to the vulnerable WeGIA delete endpoint and convince an authenticated WeGIA user to visit this page. The attack can be delivered through phishing emails, malicious advertisements, or compromised websites. Once the victim visits the malicious page while authenticated to WeGIA, the delete operation executes automatically without any visible indication to the user.
// Security patch implementing CSRF token generation and validation
// Source: https://github.com/LabRedesCefetRJ/WeGIA/commit/839de09798f61c9a76043bb2c4b3063d310c5aed
+<?php
+class Csrf
+{
+ /**
+ * Gera e retorna um token CSRF
+ */
+ public static function generateToken(): string
+ {
+ if (session_status() !== PHP_SESSION_ACTIVE) {
+ session_start();
+ }
+
+ if (empty($_SESSION['csrf_token'])) {
+ $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+ }
+
+ return $_SESSION['csrf_token'];
+ }
+
+ /**
+ * Retorna o HTML de um campo hidden com o token
+ */
+ public static function inputField(): string
+ {
+ $token = self::generateToken();
+ return '<input type="hidden" name="csrf_token" value="' . htmlspecialchars($token, ENT_QUOTES, 'UTF-8') . '">';
+ }
+
+ /**
+ * Valida se o token informado é válido
+ */
+}
// Patch applied to AlmoxarifadoControle.php adding CSRF protection
// Source: https://github.com/LabRedesCefetRJ/WeGIA/commit/839de09798f61c9a76043bb2c4b3063d310c5aed
<?php
include_once ROOT . '/classes/Almoxarifado.php';
include_once ROOT . '/dao/AlmoxarifadoDAO.php';
+require_once dirname(__FILE__, 2) . DIRECTORY_SEPARATOR . 'classes' . DIRECTORY_SEPARATOR . 'Csrf.php';
+require_once dirname(__FILE__, 2) . DIRECTORY_SEPARATOR . 'classes' . DIRECTORY_SEPARATOR . 'Util.php';
+
class AlmoxarifadoControle
{
public function verificar()
{
- $descricao_almoxarifado= trim($_POST['descricao_almoxarifado']);
+ $descricao_almoxarifado = trim($_POST['descricao_almoxarifado']);
try {
$almoxarifado = new Almoxarifado($descricao_almoxarifado);
return $almoxarifado;
Detection Methods for CVE-2025-61604
Indicators of Compromise
- Unexpected HTTP GET requests to Almoxarifado delete endpoints from external referrer URLs
- Delete operations in WeGIA audit logs occurring without corresponding user interface activity
- Referrer headers in web server logs pointing to external or suspicious domains for delete operations
- Multiple rapid delete requests from the same authenticated session
Detection Strategies
- Implement web application firewall (WAF) rules to flag GET requests with delete parameters from external referrers
- Monitor web server access logs for patterns indicating CSRF exploitation, particularly GET requests to state-changing endpoints
- Configure SIEM rules to correlate delete operations with abnormal user behavior patterns
- Review application logs for delete actions that lack corresponding prior browsing activity within the application
Monitoring Recommendations
- Enable detailed access logging on WeGIA instances to capture referrer headers and request patterns
- Set up alerting for bulk delete operations or delete operations occurring outside normal business hours
- Monitor for authenticated sessions performing destructive actions immediately after page loads from external sources
- Implement user behavior analytics to detect anomalous administrative actions
How to Mitigate CVE-2025-61604
Immediate Actions Required
- Upgrade WeGIA to version 3.5.0 or later immediately
- Review audit logs to identify any potentially exploited CSRF attacks that may have deleted Almoxarifado records
- Restore any deleted records from backups if evidence of exploitation is found
- Consider implementing a web application firewall with CSRF protection as defense-in-depth
Patch Information
The vulnerability has been fixed in WeGIA version 3.5.0. The patch introduces a new Csrf class in classes/Csrf.php that handles CSRF token generation and validation. The fix uses cryptographically secure random token generation via bin2hex(random_bytes(32)) and stores tokens in the PHP session. The AlmoxarifadoControle.php controller has been updated to require and validate CSRF tokens for delete operations.
For detailed patch information, see the GitHub Security Advisory GHSA-59hm-4m9h-ch3m and the commit implementing the fix.
Workarounds
- Restrict access to WeGIA administrative functions to trusted internal networks only until patching is possible
- Implement a reverse proxy or WAF that enforces SameSite cookie policies and validates referrer headers
- Educate users to avoid clicking links in emails or visiting untrusted websites while authenticated to WeGIA
- Consider disabling the Almoxarifado delete functionality temporarily if it is not critical to operations
# Example: Configure Apache to reject external referrers for sensitive operations
# Add to your WeGIA Apache configuration or .htaccess
<LocationMatch "/controle/AlmoxarifadoControle\.php">
SetEnvIf Referer "^https?://your-wegia-domain\.com" valid_referer
Order Deny,Allow
Deny from all
Allow from env=valid_referer
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
