CVE-2025-67752

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 7.0.4

Description OpenEMR’s HTTP client wrapper (oeHttp/oeHttpRequest) has a default setting that disables SSL/TLS certificate verification (verify: false). This makes all external HTTPS connections susceptible to man-in-the-middle (MITM) attacks. This impacts communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI).

Recommendations Update to version 7.0.4 or later.