CVE-2025-54791

Advisory

Affected versions of the omero-web package are vulnerable to Information Disclosure due to error-handling behaviour in the password reset flow that exposes sensitive details. In omeroweb/webadmin/views.py, the password reset handler surfaced omero.CmdError details (including exp.err and exp.err.parameters) directly in the response instead of returning a constant message, enabling user-existence leakage via the “Forgot Password” path. An unauthenticated attacker can submit reset requests for arbitrary accounts and compare distinct responses to enumerate valid users and glean internal information, leading to privacy exposure and targeted attacks.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad
• https://github.com/advisories/GHSA-gpmg-4x4g-mr5r
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54791