Main Vulnerability Database SB2025020202

SB2025020202 - Multiple vulnerabilities in HedgeDoc

Published: February 2, 2025 Updated: April 25, 2026

Security Bulletin ID SB2025020202

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information Exposure Through an Error Message (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose whether an email address is registered.

The vulnerability exists due to generation of error messages containing sensitive information in the registration endpoint when handling registration requests. A remote attacker can submit a registration attempt with a chosen email address to disclose whether an email address is registered.

Only instances with the local account system enabled are vulnerable, and registration must also be enabled.

2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: N/A)

The vulnerability allows a remote attacker to brute-force email and password combinations.

The vulnerability exists due to improper restriction of excessive authentication attempts in the local authentication login endpoint when handling repeated authentication requests. A remote attacker can send repeated login attempts to brute-force email and password combinations.

Only instances with the local account system enabled are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6w39-x2c6-6mpf