CVE-2025-63523 Overview
CVE-2025-63523 affects FeehiCMS version 2.1.1, a PHP-based content management system. The application fails to enforce server-side immutability for parameters that the client interface presents as read-only. An authenticated attacker can intercept HTTP requests and modify these parameters in transit, and the backend accepts the tampered values without validation. This enables unintended username changes and similar account-level modifications that should not be permitted through standard workflows.
Critical Impact
Authenticated attackers can bypass client-side read-only restrictions to modify protected account parameters, including usernames, leading to integrity violations and potential account takeover scenarios.
Affected Products
- FeehiCMS 2.1.1
- Feehi CMS deployments using the affected user profile endpoints
- Web applications built on the vulnerable FeehiCMS codebase
Discovery Timeline
- 2025-12-01 - CVE-2025-63523 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-63523
Vulnerability Analysis
The vulnerability is a broken access control and business logic flaw. FeehiCMS 2.1.1 renders certain account fields as read-only at the user interface layer but does not re-validate immutability on the server. When an authenticated user submits a profile update, the backend processes every supplied field, including those the UI marks as non-editable.
An attacker who intercepts the outbound HTTP request using a proxy tool can change the value of the username field or other restricted parameters. The server accepts the modified payload and persists the change. This breaks the trust boundary between client-rendered controls and server-enforced policy [CWE-125 referenced; functionally aligns with broken access control and improper input validation].
The issue affects the integrity of user accounts. A successful exploit alters identity attributes that other application logic, audit trails, or downstream integrations may depend on.
Root Cause
The root cause is reliance on client-side enforcement. The application assumes that fields hidden or disabled in the rendered form will not be modified. The server-side handler does not maintain an allowlist of mutable fields or compare submitted values against the stored, immutable record before committing changes.
Attack Vector
Exploitation requires an authenticated session and network access to the application. The attacker logs in with valid credentials, opens the profile editing page, and captures the form submission with an interception proxy. The attacker modifies the username parameter, or any other supposedly read-only field, and forwards the request. The server returns a success response and the change takes effect. No special privileges beyond a standard user account are needed. Refer to the GitHub CVE-2025-63523 Details writeup and the GitHub Issue Discussion #77 for reproduction details.
Detection Methods for CVE-2025-63523
Indicators of Compromise
- Unexpected username changes in the FeehiCMS user table without corresponding administrative action
- Profile update HTTP requests containing fields the standard UI does not allow editing
- Audit log entries showing identity attribute changes from non-administrative accounts
- Authentication anomalies where existing sessions reference usernames that no longer match account records
Detection Strategies
- Compare submitted form parameters in application logs against an expected allowlist of editable fields for each endpoint
- Implement database-level triggers or change auditing on the username column to flag any modification
- Review web server and application logs for POST requests to profile update endpoints containing unexpected parameters
Monitoring Recommendations
- Enable verbose request logging on FeehiCMS profile and account management endpoints
- Forward application and database audit events to a centralized log platform for correlation
- Alert on any change to username values outside of an explicit administrative workflow
- Monitor for repeated profile update requests from the same session, which can indicate parameter tampering attempts
How to Mitigate CVE-2025-63523
Immediate Actions Required
- Restrict access to FeehiCMS 2.1.1 administrative and profile editing functions to trusted users until a patch is applied
- Audit existing user records for unauthorized username changes and restore affected accounts from backups where needed
- Deploy server-side validation that rejects any submitted value for fields documented as immutable
- Apply a web application firewall rule to drop profile update requests containing the username parameter
Patch Information
At the time of publication, no official vendor patch is referenced in the NVD entry. Track the upstream project through the GitHub Issue Discussion #77 for fix availability and apply updates as soon as the maintainer publishes a corrected release.
Workarounds
- Modify the server-side profile update controller to ignore any field not in an explicit mutable allowlist
- Re-read the existing username from the database on every update operation and overwrite any client-supplied value
- Add an integrity check that compares the submitted immutable fields against stored values and rejects mismatches
- Limit profile update endpoints to specific roles and require re-authentication for any identity-related change
# Example Nginx rule to strip a tampered username parameter from profile updates
location /user/profile/update {
if ($request_method = POST) {
# Block requests that include a username field in the body
if ($request_body ~* "(^|&)username=") {
return 403;
}
}
proxy_pass http://feehicms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

