N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47776

CVE-2025-47776: MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling

Due to an incorrect use of loose (==) instead of strict (===) comparison in the authentication code, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.

Impact

On MantisBT instances configured to use the MD5 login method, user accounts having a password hash evaluating to zero (i.e. matching regex ^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example comito5 (0e579603064547166083907005281618).

No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.

Patches

Fixed in 2.27.2.

Workarounds

Check the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL:

SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'

Credits

Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-47776

CVE-2025-47776:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mantisbt/mantisbt	composer	< 2.27.2	2.27.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security advisory and the associated patch commit clearly identifies the root cause of the vulnerability. The commit 966554a19cf1bdbcfbfb3004766979faa748f9a2 shows a single, targeted change in the core/authentication_api.php file. The diff explicitly replaces the loose comparison operator == with the strict comparison operator === inside the auth_does_password_match function. This function is responsible for verifying if a provided password matches the stored hash. The vulnerability description explains that this loose comparison leads to a type juggling issue with MD5 hashes that resemble scientific notation, allowing an authentication bypass. Therefore, the auth_does_password_match function is the precise location of the vulnerability, as it performs the flawed comparison that enables the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-47776: MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling

Impact

Patches

Workarounds

Credits

CVE-2025-47776:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

N/A

N/A

CVE-2025-47776: MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling

Impact

Patches

Workarounds

Credits

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI