CVE-2025-49591

Name of the Vulnerable Software and Affected Versions CryptPad versions prior to 2025.3.0

Description The issue concerns a weak implementation of access controls in CryptPad, allowing an attacker who compromises a user's credentials to gain access to the victim's account, even if the victim has Two-Factor Authentication (2FA) set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by URL encoding a single character in the path.

Recommendations For versions prior to 2025.3.0, update to version 2025.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation. Avoid using URL encoded paths in the affected API endpoints until the issue is resolved.