CVE-2025-55796: OpenML Account Takeover Risk via Predictable MD5 Tokens

Overview

CVE-2025-55796 describes a critical vulnerability in the openml/openml.org web application, specifically version v2.0.20241110. This vulnerability stems from the use of predictable MD5-based tokens in essential user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. Due to the predictable nature of these tokens, remote attackers can potentially brute-force them within a limited timeframe, gaining unauthorized access to user accounts.

Technical Details

The core of the vulnerability lies in the token generation process. The application generates tokens by hashing the current timestamp formatted as "%d %H:%M:%S" using the MD5 algorithm. Crucially, this process does not incorporate any user-specific data (like username, email, or a unique salt) or sufficient cryptographic randomness. This makes the token highly predictable.

Because the timestamp format is known, and the MD5 algorithm is easily computable, an attacker can generate a series of possible tokens within a relatively small time window surrounding the actual token generation time. They can then attempt to use these generated tokens in the targeted workflows (e.g., password reset) to gain control of a user account.

CVSS Analysis

Currently, the CVSS score for CVE-2025-55796 is listed as N/A. This is likely because a full analysis hasn’t been conducted or published at the time of this article. However, given the potential for complete account takeover, it’s reasonable to anticipate a high CVSS score upon formal assessment. A CVSS score in the range of 8.0-10.0 (High to Critical) would be expected, depending on the ease of exploitation and the prevalence of the vulnerable application.

Possible Impact

The successful exploitation of CVE-2025-55796 can have severe consequences:

• Account Takeover: Attackers can gain complete control of user accounts.
• Data Breach: Compromised accounts can be used to access and potentially exfiltrate sensitive data stored within the OpenML platform.
• Malicious Activities: Attackers can leverage compromised accounts to perform malicious actions, such as uploading malicious code or manipulating machine learning models.
• Reputational Damage: A successful account takeover campaign can severely damage the reputation of OpenML.

Mitigation or Patch Steps

To address this vulnerability, the following steps are recommended:

• Upgrade to a Patched Version: The primary mitigation is to upgrade to a patched version of OpenML that addresses the token generation vulnerability. Check the OpenML project’s release notes for the latest version and security advisories.
• Implement Cryptographically Secure Token Generation: The token generation process should be redesigned to use cryptographically secure random number generators and include user-specific salts in the hashing process. Consider using more robust hashing algorithms like SHA-256 or SHA-3.
• Implement Rate Limiting: Implement rate limiting on password reset, email confirmation, and other sensitive workflows to prevent brute-force attacks.
• Implement Account Lockout: Implement account lockout policies after a certain number of failed login or token attempts.
• Multi-Factor Authentication (MFA): Encourage or enforce the use of multi-factor authentication (MFA) for all user accounts.

References

• OpenML GitHub Repository: https://github.com/openml
• OpenML.org GitHub Repository: https://github.com/openml/openml.org
• GitHub Security Advisory: https://github.com/openml/openml.org/security/advisories/GHSA-xfjh-gf9p-8qr6