Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66507

CVE-2025-66507: Fit2cloud 1Panel Auth Bypass Vulnerability

CVE-2025-66507 is an authentication bypass flaw in Fit2cloud 1Panel that allows attackers to disable CAPTCHA verification, enabling brute-force attacks. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-66507 Overview

CVE-2025-66507 is an authentication bypass vulnerability in 1Panel, an open-source web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by manipulating a client-controlled parameter in the login request. The server trusted this value without proper validation, allowing CAPTCHA protections to be bypassed entirely. This significantly increases the risk of account takeover (ATO) through automated credential brute-force and stuffing attacks. The vulnerability is tracked under [CWE-290] (Authentication Bypass by Spoofing) and is fixed in version 2.0.14.

Critical Impact

Remote, unauthenticated attackers can bypass CAPTCHA protections on the login endpoint, enabling unrestricted automated login attempts against 1Panel administrative accounts.

Affected Products

  • Fit2cloud 1Panel versions 2.0.13 and earlier
  • 1Panel Linux server management control panel
  • All deployments exposing the 1Panel login API to untrusted networks

Discovery Timeline

  • 2025-12-09 - CVE-2025-66507 published to NVD
  • 2025-12-10 - Last updated in NVD database
  • Patch released - Fit2cloud releases 1Panel version 2.0.14 addressing the issue

Technical Details for CVE-2025-66507

Vulnerability Analysis

The vulnerability resides in the 1Panel login API handler. The Login data transfer object accepted an IgnoreCaptcha boolean field controlled entirely by the client. When the server processed an incoming login request, it honored this client-supplied flag and skipped the CAPTCHA validation routine when the value was set to true. An attacker can submit login requests with ignoreCaptcha: true to disable the anti-automation control without authentication or prior interaction.

With CAPTCHA protections removed, the login endpoint becomes susceptible to high-volume credential brute-force, password spraying, and credential stuffing attacks. The vulnerability does not directly disclose credentials, but it removes the rate-limiting safeguard that protects them.

Root Cause

The root cause is improper trust of a client-supplied input. The server-side Login struct exposed an IgnoreCaptcha field that allowed the client to dictate security policy. Security-relevant decisions, such as whether to enforce CAPTCHA, must be made server-side based on session state or configuration, not on attacker-controllable JSON fields.

Attack Vector

The attack vector is network-accessible and requires no authentication or user interaction. An attacker sends a crafted HTTP POST request to the 1Panel login endpoint with the ignoreCaptcha field set to true. The server skips CAPTCHA verification, and the attacker proceeds with automated authentication attempts against any known or guessed usernames.

go
// Security patch in core/app/dto/auth.go
// Source: https://github.com/1Panel-dev/1Panel/commit/ac43f00273be745f8d04b90b6e2b9c1a40ef7bca
type Login struct {
-    Name          string `json:"name" validate:"required"`
-    Password      string `json:"password" validate:"required"`
-    IgnoreCaptcha bool   `json:"ignoreCaptcha"`
-    Captcha       string `json:"captcha"`
-    CaptchaID     string `json:"captchaID"`
-    Language      string `json:"language" validate:"required,oneof=zh en 'zh-Hant' ko ja ru ms 'pt-BR' tr 'es-ES'"`
+    Name      string `json:"name" validate:"required"`
+    Password  string `json:"password" validate:"required"`
+    Captcha   string `json:"captcha"`
+    CaptchaID string `json:"captchaID"`
+    Language  string `json:"language" validate:"required,oneof=zh en 'zh-Hant' ko ja ru ms 'pt-BR' tr 'es-ES'"`
}

The fix removes the IgnoreCaptcha field from the Login DTO entirely, eliminating the client's ability to influence CAPTCHA enforcement. See the GitHub commit details for the complete patch.

Detection Methods for CVE-2025-66507

Indicators of Compromise

  • HTTP POST requests to the 1Panel login API containing the JSON field "ignoreCaptcha": true
  • High volume of failed login attempts from a single source IP or distributed sources targeting the 1Panel login endpoint
  • Login requests lacking the expected captcha and captchaID values yet still processed by the server
  • Successful logins preceded by hundreds or thousands of failures within a short timeframe

Detection Strategies

  • Inspect web server and reverse proxy logs for POST requests to /api/v2/auth/login with the ignoreCaptcha parameter present
  • Build authentication anomaly rules that flag rapid-fire login attempts against 1Panel hosts
  • Correlate login telemetry with geolocation and ASN data to detect distributed credential stuffing campaigns
  • Monitor for sudden spikes in 401 or 403 responses from the 1Panel authentication endpoint

Monitoring Recommendations

  • Forward 1Panel application and reverse proxy logs to a centralized SIEM for correlation
  • Enable alerts on threshold breaches for failed authentication events per source per minute
  • Track newly authenticated administrative sessions and validate them against an allowlist of known operators
  • Audit account activity following any cluster of failed login attempts for signs of successful compromise

How to Mitigate CVE-2025-66507

Immediate Actions Required

  • Upgrade 1Panel to version 2.0.14 or later, which removes the vulnerable IgnoreCaptcha field from the login API
  • Restrict network access to the 1Panel administrative interface using firewall rules, VPN, or IP allowlisting
  • Rotate credentials for all 1Panel administrative accounts, particularly if exposure to untrusted networks occurred
  • Enable multi-factor authentication (MFA) on all administrative accounts to limit the impact of credential compromise

Patch Information

The vendor has released 1Panel version 2.0.14, which removes the client-controllable IgnoreCaptcha flag and enforces CAPTCHA validation server-side. Reference the GitHub Release v2.0.14 and the GitHub Security Advisory GHSA-qmg5-v42x-qqhq for full remediation details.

Workarounds

  • Place 1Panel behind a reverse proxy or web application firewall (WAF) that strips the ignoreCaptcha field from incoming JSON payloads
  • Apply WAF rate-limiting rules to the /api/v2/auth/login endpoint to throttle brute-force attempts
  • Bind the 1Panel management interface to localhost or an internal VLAN and tunnel access through SSH or VPN until patching is complete
  • Implement source IP allowlisting at the network perimeter to limit who can reach the login endpoint
bash
# Example nginx reverse proxy snippet to rate-limit and restrict the 1Panel login endpoint
limit_req_zone $binary_remote_addr zone=panel_login:10m rate=5r/m;

location /api/v2/auth/login {
    limit_req zone=panel_login burst=3 nodelay;
    allow 10.0.0.0/8;
    deny all;
    proxy_pass http://127.0.0.1:8080;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.