GrepRules
Sign inPublish rule
Explore/cve-2025-24373-conditional-hash-equals-auth-bypass

CVE-2025-24373: Conditional Hash Equals Auth Bypass

A sensitive authentication or authorization validation (e.g. `hash_equals()`) is conditionally omitted if a specific array key or variable is set. By failing to perform an equivalent strong security validation (such as a nonce or role validation) when the parameter is present, an attacker can force the code branch entirely bypassing access controls simply by

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0PHPβ
greprules fetch cve-2025-24373-conditional-hash-equals-auth-bypass --engine opengrep

Description

A sensitive authentication or authorization validation (e.g. `hash_equals()`) is conditionally omitted if a specific array key or variable is set. By failing to perform an equivalent strong security validation (such as a nonce or role validation) when the parameter is present, an attacker can force the code branch entirely bypassing access controls simply by

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 76How quality works
Included packs
2 packs