CVE-2025-52392: Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms

August 13, 2025

Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts.

References

beafn28.gitbook.io/beafn28/cve/brute-force-login-vulnerability-in-soosyze-cms-2.0-cve-2025-52392
github.com/advisories/GHSA-vq9x-w82r-rhmc
github.com/soosyze/soosyze
github.com/soosyze/soosyze/issues/269
nvd.nist.gov/vuln/detail/CVE-2025-52392

Code Behaviors & Features

Detect and mitigate CVE-2025-52392 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →