Skip to content

1Panel – CAPTCHA Bypass via Client-Controlled Flag

High severity GitHub Reviewed Published Dec 8, 2025 in 1Panel-dev/1Panel • Updated Dec 8, 2025

Package

gomod github.com/1Panel-dev/1Panel (Go)

Affected versions

< 2.0.14

Patched versions

2.0.14
gomod github.com/1Panel-dev/1Panel/core (Go)
< 0.0.0-20251128030527-ac43f00273be
0.0.0-20251128030527-ac43f00273be

Description

Summary

A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO).

Details

The /api/login endpoint accepts a boolean field named ignoreCaptcha directly from the client request body:

"ignoreCaptcha": true

The backend implementation uses this value to determine whether CAPTCHA validation should be performed:

if !req.IgnoreCaptcha {
    if errMsg := captcha.VerifyCode(req.CaptchaID, req.Captcha); errMsg != "" {
        helper.BadAuth(c, errMsg, nil)
        return
    }
}

Because req.IgnoreCaptcha is taken directly from user input—with no server-side validation, no session binding, and no privilege checks—any unauthenticated attacker can force CAPTCHA validation to be skipped.

There are no additional conditions, such as:

no requirement for MFA

no trusted device

no IP reputation checks

no prior valid session

no rate limiting

This results in CAPTCHA being entirely client-controlled, which violates fundamental authentication and anti-automation security assumptions.

References

@wanghe-fit2cloud wanghe-fit2cloud published to 1Panel-dev/1Panel Dec 8, 2025
Published to the GitHub Advisory Database Dec 8, 2025
Reviewed Dec 8, 2025
Last updated Dec 8, 2025

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. Learn more on MITRE.

Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. Learn more on MITRE.

Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. Learn more on MITRE.

CVE ID

CVE-2025-66507

GHSA ID

GHSA-qmg5-v42x-qqhq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.