VYPR
← All advisories
High severityNVD Advisory· Published May 24, 2021· Updated Aug 3, 2024

CVE-2021-33563

CVE-2021-33563

Description

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Koel before 5.1.4 lacks login throttling and password strength, and reveals valid usernames, aiding brute-force attacks.

Vulnerability

Koel versions before 5.1.4 lack login throttling, do not enforce a password strength policy, and disclose whether a failed login attempt had a valid username. These issues collectively weaken authentication security. [1][2]

Exploitation

An attacker can perform brute-force attacks without rate limiting, using username enumeration to identify valid accounts and then focusing on weak passwords due to lack of strength policy. No authentication or special privileges are required beyond network access to the login endpoint. [1]

Impact

Successful brute-force would allow unauthorized access to the Koel music streaming application, potentially leading to data exposure or account takeover. [1]

Mitigation

Upgrade to Koel 5.1.4 or later, which addresses these issues. The fix was released on or before May 24, 2021. [2]

References
  1. NVD - CVE-2021-33563
  2. Release v5.1.4 · koel/koel

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phanan/koelPackagist
< 5.1.45.1.4

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.