Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68277

CVE-2025-68277: OpenEMR Phishing Vulnerability

CVE-2025-68277 is a phishing vulnerability in OpenEMR that allows links in Secure Messaging to open within the portal, enabling phishing attacks. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-68277 Overview

OpenEMR is a widely-used free and open source electronic health records (EHR) and medical practice management application. A phishing vulnerability has been identified in versions prior to 7.0.4. When a link is sent via the Secure Messaging feature, clicking the link opens the external website within the OpenEMR/Portal site frame. This behavior could be exploited by malicious actors for phishing attacks, potentially tricking healthcare providers and patients into disclosing sensitive information while believing they are still within the trusted OpenEMR environment.

Critical Impact

Attackers can embed malicious links in secure messages that render within the OpenEMR portal context, enabling convincing phishing attacks against healthcare providers and patients with access to sensitive medical data.

Affected Products

  • OpenEMR versions prior to 7.0.4
  • OpenEMR Portal Secure Messaging component
  • open-emr openemr

Discovery Timeline

  • 2026-02-25 - CVE CVE-2025-68277 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2025-68277

Vulnerability Analysis

This vulnerability is classified under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The core issue lies in how the OpenEMR Portal's Secure Messaging feature handles HTML content containing links. When messages are rendered, the DOMPurify sanitization library was configured to allow anchor (<a>) and image (<img>) tags, which enabled attackers to craft messages containing links that would open within the portal's context.

The attack requires local access and user interaction, as the victim must actively click on the malicious link within a secure message. However, the high confidentiality and integrity impact stems from the healthcare context where sensitive patient data, credentials, and medical information could be compromised through successful phishing.

Root Cause

The root cause is insufficient HTML sanitization in the message rendering functions within portal/messaging/messages.php. The DOMPurify library was being used to sanitize HTML content, but its configuration did not explicitly forbid <a> (anchor) and <img> (image) tags. This allowed attackers to embed hyperlinks in secure messages that would render within the trusted OpenEMR portal interface, creating an ideal phishing scenario.

Attack Vector

The attack leverages the trusted context of the OpenEMR Secure Messaging system. An attacker with access to the messaging system can:

  1. Compose a secure message containing a crafted hyperlink pointing to a malicious site
  2. Send the message to a target user (healthcare provider or patient)
  3. When the recipient views the message and clicks the link, the malicious site renders within the OpenEMR portal frame
  4. The victim, believing they are still within the trusted medical portal, may enter credentials or sensitive information

The security patch addresses this by modifying the DOMPurify sanitization configuration:

php
                };
 
                $scope.renderMessageBody = function (html) {
-                    html = DOMPurify.sanitize(html, { USE_PROFILES: { html: true } });
+                    html = DOMPurify.sanitize(html, {
+                        USE_PROFILES: { html: true },
+                        FORBID_TAGS: ['a', 'img']
+                    });
                    return html;
                };
 
                $scope.htmlToText = function (html) {
                    const hold = document.createElement('DIV');
-                    hold.innerHTML = DOMPurify.sanitize(html, { USE_PROFILES: { html: true } });
+                    hold.innerHTML = DOMPurify.sanitize(html, {
+                        USE_PROFILES: { html: true },
+                        FORBID_TAGS: ['a', 'img']
+                    });
                    return jsText(hold.textContent || hold.innerText || '');
                };

Source: GitHub Commit

Detection Methods for CVE-2025-68277

Indicators of Compromise

  • Secure messages containing suspicious URLs or unusual hyperlink patterns
  • User reports of unexpected login prompts or credential requests within the portal context
  • Access logs showing unusual referrer patterns from external domains rendered in portal frames
  • Messages containing obfuscated or encoded URLs attempting to bypass content filters

Detection Strategies

  • Implement logging and monitoring of all URLs contained within secure messages
  • Deploy web application firewall rules to detect and alert on external URL embedding in message content
  • Monitor for unusual patterns in secure messaging activity, such as bulk messages containing links
  • Review authentication logs for credential submissions that may indicate successful phishing

Monitoring Recommendations

  • Enable detailed audit logging for the Secure Messaging module in OpenEMR
  • Configure alerts for messages containing external URLs from untrusted domains
  • Monitor for user accounts sending high volumes of messages with embedded links
  • Implement user behavior analytics to detect anomalous messaging patterns

How to Mitigate CVE-2025-68277

Immediate Actions Required

  • Upgrade OpenEMR to version 7.0.4 or later immediately
  • Review recent secure messages for suspicious content or embedded links
  • Notify users about the potential for phishing attacks via secure messaging
  • Consider temporarily restricting HTML content in secure messages until patching is complete

Patch Information

OpenEMR version 7.0.4 patches this vulnerability by updating the DOMPurify sanitization configuration to explicitly forbid <a> and <img> tags in message content. The fix is implemented in commit 11ec62d1683571a629734fba66f7fb68d0bdc312. Organizations should apply this patch through their standard update procedures. For detailed information, refer to the GitHub Security Advisory.

Workarounds

  • If immediate patching is not possible, manually apply the DOMPurify configuration changes from the security patch
  • Disable or restrict the Secure Messaging feature until the patch can be applied
  • Implement additional content filtering at the web application firewall level to strip anchor tags
  • Educate users about identifying phishing attempts within the messaging system
bash
# Configuration example - Apply the security patch manually
cd /var/www/openemr
git fetch origin
git checkout 11ec62d1683571a629734fba66f7fb68d0bdc312 -- portal/messaging/messages.php
# Alternatively, upgrade to version 7.0.4
# Follow OpenEMR upgrade documentation for your installation method

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne