Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66289

CVE-2025-66289: OrangeHRM Auth Bypass Vulnerability

CVE-2025-66289 is an authentication bypass flaw in OrangeHRM versions 5.0 to 5.7 that fails to invalidate sessions when users are disabled or passwords change, allowing unauthorized access to continue.

Published:

CVE-2025-66289 Overview

CVE-2025-66289 affects OrangeHRM, a widely deployed human resource management (HRM) system. Versions 5.0 through 5.7 fail to invalidate active sessions when an administrator disables a user account or when a password change occurs. Existing session cookies remain valid indefinitely, defeating both account disablement and credential rotation as security controls.

The flaw maps to [CWE-613] Insufficient Session Expiration. Attackers holding a session cookie from a compromised or terminated account retain full access to protected functionality. OrangeHRM patched the issue in version 5.8.

Critical Impact

Disabled accounts and rotated passwords do not terminate active sessions, allowing attackers and former users to retain authenticated access to OrangeHRM until the session cookie naturally expires.

Affected Products

  • OrangeHRM version 5.0 through 5.7
  • OrangeHRM Open Source edition on the affected version range
  • Self-hosted OrangeHRM deployments running pre-5.8 builds

Discovery Timeline

  • 2025-11-29 - CVE-2025-66289 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66289

Vulnerability Analysis

OrangeHRM maintains authenticated state through server-side session cookies. The application correctly establishes and validates these sessions during login but does not perform server-side revocation when an account's authorization state changes. Disabling a user, deleting a user, or resetting a password updates the user record without iterating the session store to invalidate sessions tied to that principal.

The consequence is a persistent authentication state divorced from the account's authorization state. An administrator who clicks "disable" believes access has been revoked, but any browser holding a prior session cookie continues to pass authentication checks. The same gap applies to password resets initiated after a suspected compromise, meaning credential rotation does not evict the attacker.

Root Cause

The root cause is missing session lifecycle management at critical state transitions. The application treats account status as a login-time check rather than a per-request invariant. There is no hook in the user-disable, user-delete, or password-update flows that calls into the session backend to terminate matching sessions.

Attack Vector

An authenticated attacker who has captured a session cookie, through phishing, cross-site scripting, malware, or a shared device, retains access after the victim resets their password. A terminated employee whose account is disabled by HR continues to access OrangeHRM from any browser where a session is still open. The attack requires network access to the OrangeHRM instance and low privileges to initially obtain the session.

The vulnerability mechanism is described in the OrangeHRM GitHub Security Advisory GHSA-99qp-xh4q-pr9x. No public proof-of-concept is required because exploitation only involves continuing to use an existing authenticated session.

Detection Methods for CVE-2025-66289

Indicators of Compromise

  • Authenticated OrangeHRM activity from a user account after that account was disabled in the administrative console.
  • Session cookies still presenting valid PHPSESSID or orangehrm session identifiers after a documented password reset event.
  • Access patterns from terminated employees appearing in OrangeHRM web server logs after their offboarding date.
  • Concurrent sessions for the same user from geographically inconsistent source IPs following a credential rotation.

Detection Strategies

  • Correlate OrangeHRM application logs with HR offboarding events to identify access by recently disabled accounts.
  • Alert on any HTTP request bearing a session cookie whose associated user has status=disabled in the OrangeHRM database.
  • Compare timestamps of password change events against subsequent authenticated requests from the same session identifier.

Monitoring Recommendations

  • Ingest OrangeHRM access logs and database audit logs into a centralized SIEM for cross-correlation.
  • Track session token reuse across IP addresses and user-agent strings to surface hijacked sessions.
  • Monitor administrative actions such as user disable and password reset and flag any continued activity by the affected principal within 24 hours.

How to Mitigate CVE-2025-66289

Immediate Actions Required

  • Upgrade OrangeHRM to version 5.8 or later, which contains the official fix for session invalidation on account state changes.
  • Force a global logout by truncating or rotating the session store after upgrade to evict any pre-existing sessions.
  • Review the OrangeHRM user list and identify any disabled accounts that may have retained active sessions during the vulnerable window.
  • Rotate credentials for privileged OrangeHRM accounts after the upgrade and verify the new sessions behave as expected.

Patch Information

OrangeHRM released the fix in version 5.8. Upgrade details and the technical advisory are published in the OrangeHRM GitHub Security Advisory GHSA-99qp-xh4q-pr9x. Administrators should follow the standard OrangeHRM upgrade path and apply database migrations included with 5.8.

Workarounds

  • Manually clear the PHP session storage directory or session database table after each user disable or password reset operation.
  • Reduce the session lifetime in the OrangeHRM PHP configuration to shorten the window during which orphaned sessions remain valid.
  • Restrict OrangeHRM administrative interfaces to VPN or IP-allowlisted networks to limit exposure of stolen session cookies.
  • Enforce short cookie MaxAge values and HttpOnly, Secure, and SameSite=Strict attributes at the reverse proxy layer.
bash
# Configuration example: shorten PHP session lifetime as a temporary mitigation
# /etc/php/8.1/fpm/php.ini
session.gc_maxlifetime = 900
session.cookie_lifetime = 900
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = "Strict"

# Clear active sessions after disabling a user (file-based sessions)
find /var/lib/php/sessions -type f -name 'sess_*' -delete
systemctl reload php8.1-fpm

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.