Captcha verification bypass in github.com/mojocn/base64Captcha
Description
CVE-2023-45292 is a bypass vulnerability in base64Captcha's default Verify function, which incorrectly considers any captcha valid when given a non-existent id and empty answer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-45292 is a bypass vulnerability in base64Captcha's default Verify function, which incorrectly considers any captcha valid when given a non-existent id and empty answer.
Vulnerability
Description
The Verify method in the default memory store of base64Captcha (a Go captcha package) contains a logic flaw that allows captcha verification to be bypassed. When the method receives a non-existent id, an empty answer string, and clear set to true, it returns true even though no captcha challenge was issued. This is because the Get method returns an empty string for a missing id, and the comparison v == answer then compares two empty strings, which is always true [1][4].
Exploitation
Prerequisites
An attacker can exploit this without any authentication, simply by crafting a request to the application that calls the Verify function with an arbitrary non-existent id, an empty string as the answer, and true for the clear parameter. Since the default configuration uses this vulnerable implementation, the attacker can bypass captcha challenges on any endpoint relying on this verification [2][4].
Impact
Successful exploitation allows an attacker to bypass captcha protection entirely. This can enable automated attacks such as credential stuffing, account enumeration, spam submissions, or other abuse on forms and endpoints that depend on captcha verification to distinguish human users from bots [1][3].
Mitigation
The issue has been patched in the base64Captcha repository. The fix adds a check that returns false if either id or answer is empty [4]. Users should update to the latest version of the package. There is no known evidence of exploitation in the wild at the time of publication.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mojocn/base64CaptchaGo | < 1.3.6 | 1.3.6 |
Affected products
2- Range: 0
Patches
22 files changed · +7 −0
store_memory.go+3 −0 modified@@ -66,6 +66,9 @@ func (s *memoryStore) Set(id string, value string) error { } func (s *memoryStore) Verify(id, answer string, clear bool) bool { + if id == "" || answer == "" { + return false + } v := s.Get(id, clear) return v != "" && v == answer }
store_memory_test.go+4 −0 modified@@ -143,6 +143,10 @@ func Test_memoryStore_Verify(t *testing.T) { if got { t.Error("failed3") } + got = DefaultMemStore.Verify("saaf", "", true) + if got { + t.Error("CVE-2023-45292 GO-2023-2386") + } } func Test_memoryStore_Get(t *testing.T) {
9b11012caca5feat(inmemory): verify method must check the empty id and answer.
1 file changed · +1 −1
store_memory.go+1 −1 modified@@ -67,7 +67,7 @@ func (s *memoryStore) Set(id string, value string) error { func (s *memoryStore) Verify(id, answer string, clear bool) bool { v := s.Get(id, clear) - return v == answer + return v != "" && v == answer } func (s *memoryStore) Get(id string, clear bool) (value string) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5mmw-p5qv-w3x5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-45292ghsaADVISORY
- github.com/mojocn/base64Captcha/commit/5ab86bd6f333aad3936f912fc52b411168dcd4a7ghsaWEB
- github.com/mojocn/base64Captcha/commit/9b11012caca58925f1e47c770f79f2fa47e3ad13ghsaWEB
- github.com/mojocn/base64Captcha/issues/120ghsaWEB
- pkg.go.dev/vuln/GO-2023-2386ghsaWEB
News mentions
0No linked articles in our index yet.