MantisBT: Authentication bypass for some passwords due to PHP type juggling
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim's username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim's actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT 2.27.1 and below use loose comparison (==) in authentication, allowing attackers to bypass login for users with passwords whose MD5 hash matches scientific notation evaluating to zero.
Vulnerability
Overview
CVE-2025-47776 is an authentication bypass vulnerability in Mantis Bug Tracker (MantisBT) versions 2.27.1 and earlier. The root cause is the use of loose (==) instead of strict (===) comparison in the authentication code authentication code [4]. This allows PHP type juggling to interpret certain MD5 hashes as numbers when they match scientific notation patterns (e.g., 0e...), causing them to evaluate to zero [1][3].
Exploitation
An attacker who knows a victim's username and has access to an account with a password hash that evaluates to zero can log in as that victim without knowing their actual password. The attacker simply uses any other password whose MD5 hash also evaluates to zero (e.g., comito5 or 5vIibvvE) [3]. No brute-forcing is required; the attacker only needs to guess or know the victim's username [3].
Impact
Successful exploitation allows an attacker to impersonate any user whose password produces a hash that evaluates to zero under scientific notation. This can lead to unauthorized access to sensitive bug tracker data, privilege escalation if the victim is an administrator, and further compromise of the MantisBT instance [1][3].
Mitigation
The vulnerability is fixed in MantisBT version 2.27.2 [1]. Users should upgrade immediately. No workaround is mentioned; the fix replaces loose comparison with strict comparison in the authentication logic [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.27.2 | 2.27.2 |
Affected products
2Patches
1966554a19cf1Check password with strict string comparison
1 file changed · +1 −1
core/authentication_api.php+1 −1 modified@@ -778,7 +778,7 @@ function auth_does_password_match( $p_user_id, $p_test_password ) { foreach( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) === $t_password ) { # Do not support migration to PLAIN, since this would be a crazy thing to do. # Also if we do, then a user will be able to login by providing the MD5 value # that is copied from the database. See #8467 for more details.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4v8w-gg5j-ph37ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47776ghsaADVISORY
- github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.phpghsaWEB
- github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsaWEB
News mentions
0No linked articles in our index yet.