CVE-2025-62512 Overview
CVE-2025-62512 is a user enumeration vulnerability in Piwigo, an open source photo gallery application for the web. The flaw affects version 15.5.0 and likely earlier 15.x releases. The password reset endpoint at password.php?action=lost returns distinct response messages for valid versus invalid accounts. An unauthenticated remote attacker can use this behavior to determine whether a given username or email address exists in the system. The vulnerability is categorized under [CWE-204: Observable Response Discrepancy]. As of publication, no official patch is available from the vendor.
Critical Impact
Unauthenticated attackers can enumerate valid usernames and email addresses, enabling targeted credential stuffing, phishing, and brute-force attacks against confirmed accounts.
Affected Products
- Piwigo 15.5.0
- Piwigo earlier 15.x releases (likely affected)
- password.php?action=lost endpoint
Discovery Timeline
- 2026-02-24 - CVE-2025-62512 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2025-62512
Vulnerability Analysis
The vulnerability resides in the password recovery workflow exposed at password.php?action=lost. When a user submits a username or email address to initiate a password reset, the application returns different response messages depending on whether the supplied identifier matches an existing account. This observable response discrepancy allows attackers to confirm the presence of specific accounts without authentication.
The issue is classified as [CWE-204: Observable Response Discrepancy]. While the flaw does not directly compromise confidentiality of stored data or grant code execution, it weakens the privacy boundary around account identity. Attackers can script automated requests to iterate through username and email lists, building a verified roster of valid accounts hosted on a target Piwigo instance.
With an EPSS percentile of 85.09, the likelihood of exploitation attempts is meaningfully elevated compared to typical CVEs. The attack requires no privileges, no user interaction, and is reachable over the network.
Root Cause
The password reset handler discloses account existence through differentiated server responses. Secure password reset implementations return a uniform message regardless of whether the submitted identifier is valid, preventing attackers from distinguishing real accounts from non-existent ones.
Attack Vector
An unauthenticated attacker sends HTTP requests to the password.php?action=lost endpoint with candidate usernames or email addresses. By parsing the differing response bodies, the attacker enumerates which identifiers correspond to valid accounts. The harvested list can then be used to fuel credential stuffing campaigns, targeted phishing, or password spraying attacks against confirmed users.
No verified exploit code is published in the referenced advisory. For technical details, see the Piwigo GitHub Security Advisory GHSA-h4wx-7m83-xfxc.
Detection Methods for CVE-2025-62512
Indicators of Compromise
- High volume of HTTP requests to password.php?action=lost from a single source IP or distributed set of IPs.
- Sequential or dictionary-style submissions of usernames and email addresses to the password reset endpoint.
- Repeated password reset requests with low success-to-attempt ratios in web server access logs.
Detection Strategies
- Inspect web server and application logs for repeated POST or GET requests targeting password.php with the action=lost parameter.
- Correlate response codes and content lengths returned by the password reset endpoint to detect automated enumeration probing.
- Deploy web application firewall (WAF) rules that flag high-rate access to authentication recovery URLs.
Monitoring Recommendations
- Establish baselines for normal password reset traffic and alert on deviations such as bursts of unique identifiers tested per minute.
- Aggregate authentication and recovery endpoint telemetry centrally to enable cross-source correlation.
- Monitor downstream signals such as spikes in failed logins shortly after enumeration patterns are observed.
How to Mitigate CVE-2025-62512
Immediate Actions Required
- Restrict public access to password.php?action=lost where feasible, for example through IP allowlisting or authenticated reverse proxies.
- Apply rate limiting to the password reset endpoint to slow automated enumeration attempts.
- Deploy CAPTCHA or equivalent challenge mechanisms in front of the password recovery workflow.
Patch Information
As of publication, no official patch is available from the vendor. Monitor the Piwigo GitHub Security Advisory GHSA-h4wx-7m83-xfxc for updates and apply the fix as soon as it is released.
Workarounds
- Place the Piwigo instance behind a WAF configured to throttle repeated requests to the password reset endpoint.
- Modify the application response in password.php to return a uniform message such as "If the account exists, a reset link has been sent" regardless of identifier validity.
- Audit and rotate credentials for any accounts confirmed as enumerated, and enforce strong password policies and multi-factor authentication to limit downstream credential abuse.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
