CVE-2025-43863

CRITICAL9.8EPSS 0.32%

vantage6 lacks brute-force protection on change password functionality

Published: 6/12/2025Modified: 5/20/2026

Description

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.

Affected packages (2)

PyPI/vantage6from 0, < 4.11.0
PyPI/vantage6from 0, < 4.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-43863
PATCHhttps://github.com/vantage6/vantage6
WEBhttps://github.com/vantage6/vantage6/commit/e0f1841b310f6f610e8137db2506cf683ce154d0
WEBhttps://github.com/vantage6/vantage6/security/advisories/GHSA-j6g5-p62x-58hw