Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web

Vulnerability

CVE-2022-2525 is an improper restriction of excessive authentication attempts in the Calibre Web application, specifically in versions prior to 0.6.20. The software fails to enforce rate limiting or any mechanism to block repeated login failures, leaving the authentication endpoint open to unlimited password guessing attempts. The issue was fixed in commit [49e4f540c9b204c7e39b3c27ceadecd83ed60e7e] in the official repository [1][2].

Exploitation

The attack vector is the login page exposed by the Calibre Web server. An attacker with network access to the application can send an arbitrary number of login requests with different credentials without being throttled or locked out. No prior authentication or special privileges are needed to conduct the attack; the only requirement is that the attacker can reach the application's login interface [1][3].

Impact

Successful exploitation allows an attacker to brute-force user passwords by systematically trying common or guessed passwords against known or enumerated usernames. Since there is no account lockout or CAPTCHA, the attacker can continue guessing until the correct password is found. This could lead to full account compromise, including any administrative accesses if a privileged user's password is cracked [1][3].

Mitigation

Calibre Web users must upgrade to version 0.6.20 or later, which includes the commit that adds authentication rate limiting. There is no known workaround to mitigate the vulnerability without applying the patch [1][2]. The CVE has not yet been listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, but the risk of brute-force attacks is well established. Users still running older versions should treat their instances as vulnerable and prioritize an upgrade.