Cyber Resilience

CVE-2025-54791

Medium

Published: 13 August 2025

Published
13 August 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0031 54.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54791 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Openmicroscopy Omero-Web. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information…

more

about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openmicroscopy
omero-web
≤ 5.29.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

addresses: CWE-209

Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.

References