CVE-2025-63523: FeehiCMS fails to enforce server-side immutability

December 1, 2025 (updated December 2, 2025)

FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as “read-only.” An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.

References

github.com/advisories/GHSA-qgc9-p7cj-jvh6
github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md
github.com/liufee/cms
github.com/liufee/cms/issues/77
nvd.nist.gov/vuln/detail/CVE-2025-63523

Code Behaviors & Features

Detect and mitigate CVE-2025-63523 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →