CVE-2025-22144
Published: 13 January 2025
Summary
CVE-2025-22144 is a critical-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Namelessmc Nameless. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating this CVE by patching NamelessMC to version 2.1.3 which fixes the improper reset_code handling.
IA-5 mandates secure management of authenticators including procedures for password resets, preventing weak recovery mechanisms that allow unauthorized account takeovers.
SI-10 enforces validation of inputs like the password reset code parameter (&c=), blocking exploits using NULL or empty values to reset any user's password.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing NamelessMC web app directly enables remote unauthenticated exploitation of weak password recovery for account takeover.
NVD Description
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the…
more
reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-22144 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in NamelessMC, a free website software for Minecraft servers. The flaw stems from improper handling of password reset codes during user validation. Specifically, when an account is approved via email, the reset_code remains NULL, but manual validation by a user with admincp.core.emails or admincp.users.edit permissions sets the reset_code to an empty value instead of NULL. This enables unauthorized password resets. The issue is linked to CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).
An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction by sending a request to the /forgot_password/ endpoint (e.g., http://localhost/nameless/index.php?route=/forgot_password/&c=). This allows the attacker to reset the password of any user account, resulting in full account takeover and potential compromise of associated Minecraft server access or other linked resources.
The NamelessMC GitHub security advisory (GHSA-p883-7496-x35p) and release notes for version 2.1.3 confirm the issue has been fixed in that update, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)