Overview
CVE-2025-54305 describes a critical vulnerability discovered in the Thermo Fisher Torrent Suite Django application, specifically version 5.18.1. This vulnerability allows a local attacker to bypass authentication and gain administrative access to the system. The core issue lies within the LocalhostAuthMiddleware, which improperly authenticates users based on the REMOTE_ADDR property in the request’s META data.
Technical Details
The LocalhostAuthMiddleware in Torrent Suite 5.18.1 incorrectly authenticates users as ionadmin if the REMOTE_ADDR property in request.META matches one of the following IP addresses: 127.0.0.1, 127.0.1.1, or ::1 (localhost). This means any user with local access to the server hosting the Torrent Suite application can manipulate requests to appear to originate from localhost and thus bypass the standard authentication mechanisms.
CVSS Analysis
Due to the need for local access and the lack of a CVSS score provided, calculating a precise CVSS score is difficult. However, given the potential for complete system compromise, the severity should be considered high. A successful exploit allows an attacker to gain full administrative privileges. A possible CVSS v3.1 base score may look like this AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H resulting in a score of 7.8 (High).
Possible Impact
Successful exploitation of this vulnerability can lead to severe consequences, including:
- Unauthorized Access: Attackers can gain full administrative control over the Torrent Suite application.
- Data Breach: Sensitive sequencing data and user information can be accessed, modified, or exfiltrated.
- System Compromise: The underlying server can be compromised, potentially leading to further attacks on other systems within the network.
- Disruption of Services: Attackers can disrupt the normal operation of the Torrent Suite application, impacting sequencing workflows and research.
Mitigation or Patch Steps
Given the age of the disclosed vulnerability there should be newer patched versions of the application. The immediate recommended course of action to address the vulnerability is to update the Torrent Suite to the latest version. Thermo Fisher Scientific should release a patch that corrects the flawed authentication logic in the LocalhostAuthMiddleware. If an immediate update is not possible, consider the following temporary mitigations:
- Restrict Local Access: Limit physical and network access to the server hosting the Torrent Suite application.
- Disable or Modify the Middleware (with Caution): If feasible and after thorough testing, consider temporarily disabling the
LocalhostAuthMiddleware. Warning: This could impact other functionalities and is not a recommended long-term solution. - Monitor System Logs: Closely monitor system logs for suspicious activity, such as attempts to access the system from localhost while using administrative accounts.
Important: Always consult the official Thermo Fisher Scientific documentation and support channels before implementing any mitigation steps.
