CVE-2025-54573
MEDIUMCvat Computer Vision Annotation Tool < 2.42.0 - Authentication Bypass
Title source: ruleDescription
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q
Patch x_refsource_misc
https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2
Scores
CVSS v3
4.3
EPSS
0.0006
EPSS Percentile
18.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (1)
cvat/computer_vision_annotation_tool
1.1.0 - 2.42.0
Published
Jul 30, 2025
Tracked Since
Feb 18, 2026