CVE-2025-49004 in Caido
Summary
by MITRE • 06/10/2025
Caido is a web security auditing toolkit. Prior to version 0.48.0, due to the lack of protection for DNS rebinding, Caido can be loaded on an attacker-controlled domain. This allows a malicious website to hijack the authentication flow of Caido and achieve code execution. A malicious website loaded in the browser can hijack the locally running Caido instance and achieve remote command execution during the initial setup. Even if the Caido instance is already configured, an attacker can initiate the authentication flow by performing DNS rebinding. In this case, the victim needs to authorize the request on dashboard.caido.io. Users should upgrade to version 0.48.0 to receive a patch.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/10/2025
The vulnerability described in CVE-2025-49004 represents a critical security flaw in the Caido web security auditing toolkit that stems from inadequate protection against DNS rebinding attacks. This vulnerability affects versions prior to 0.48.0 and creates a significant attack surface that allows remote adversaries to compromise the security of locally running Caido instances. The core issue lies in the absence of proper DNS rebinding protection mechanisms within the application's architecture, which enables attackers to manipulate DNS resolution behavior to gain unauthorized access to the tool's functionality. The vulnerability specifically targets the authentication flow and local execution capabilities of Caido, making it particularly dangerous for security professionals who rely on this tool for their work.
The technical exploitation of this vulnerability occurs through a sophisticated DNS rebinding attack vector that leverages the browser's DNS caching behavior to redirect requests from the attacker-controlled domain to the local Caido instance. When a malicious website loads in a victim's browser, it can manipulate DNS responses to initially resolve to the attacker's domain and then subsequently resolve to the local Caido instance running on the victim's machine. This allows the attacker to hijack the authentication flow of Caido and execute arbitrary commands on the victim's system. The attack is particularly insidious because it requires no prior authentication or local access to the target machine, as the exploitation occurs through the browser's interaction with the local service. The vulnerability enables both initial setup code execution and post-configuration attacks, making it a persistent threat regardless of the Caido instance's current state.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise of any machine running an affected version of Caido. Security professionals who use Caido for penetration testing, vulnerability assessment, or security auditing become potential victims of this attack, creating a significant risk for organizations that rely on the tool for their security operations. The attack can be executed through standard web browsing activities, making it difficult to detect and prevent. Even if the Caido instance is properly configured, the attacker can still initiate the authentication flow by performing DNS rebinding, forcing the victim to authorize the malicious request through the dashboard.caido.io interface. This creates a scenario where legitimate users are unknowingly tricked into authorizing malicious actions, effectively bypassing the security controls that should protect against such attacks.
The vulnerability manifests as a direct violation of several security principles and standards, including those related to secure authentication flows and protection against cross-origin attacks. From a CWE perspective, this vulnerability aligns with CWE-346, which addresses "Origin Validation Error," and CWE-284, which covers "Improper Access Control." The attack pattern follows the methodology described in the MITRE ATT&CK framework under T1190 "Exploit Public-Facing Application" and T1059 "Command and Scripting Interpreter," specifically targeting the execution phase of an attack. The lack of proper DNS rebinding protection represents a fundamental architectural flaw that should have been addressed through proper input validation, secure communication protocols, and robust authentication mechanisms. Organizations using Caido should immediately upgrade to version 0.48.0 or later to receive the necessary patch that implements proper DNS rebinding protection measures. The patch should include mechanisms to validate DNS responses, implement proper CORS policies, and ensure that authentication flows cannot be hijacked through malicious domain manipulation, thereby protecting users from this sophisticated attack vector.