CVE-2025-49004 is a high-severity authentication bypass vulnerability affecting versions of the Caido web security auditing toolkit prior to 0.48.0. The root cause is the lack of protection against DNS rebinding attacks, which allows an attacker-controlled website to bypass authentication mechanisms by manipulating the victim's browser DNS resolution. Specifically, an attacker can host a malicious website that loads the locally running Caido instance via DNS rebinding, hijacking the authentication flow. This enables remote code execution on the victim's machine during the initial setup phase of Caido. Even if Caido is already configured, the attacker can trigger the authentication flow again via DNS rebinding, prompting the victim to authorize a request on dashboard.caido.io, potentially leading to unauthorized access or code execution. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing), indicating that the attacker can spoof authentication credentials or flows to gain unauthorized access. The CVSS v3.1 base score is 7.5, reflecting high severity due to the network attack vector, no privileges required, but user interaction is necessary. The impact affects confidentiality, integrity, and availability, as attackers can execute arbitrary commands remotely. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and patched in version 0.48.0. The attack requires a victim to visit a malicious website, which then performs DNS rebinding to access the local Caido instance, exploiting the lack of DNS rebinding protections in the application. This vulnerability highlights the risks of insecure local web applications exposed to browser-based attacks without proper origin validation or DNS rebinding mitigations.

For European organizations using Caido versions prior to 0.48.0, this vulnerability poses a significant risk. Successful exploitation could lead to remote code execution on systems running Caido, potentially compromising sensitive security audit data and tools. This could undermine the integrity of security assessments and expose organizations to further attacks by providing attackers with a foothold inside the network. Confidentiality breaches could occur if attackers access audit results or internal configurations. The availability of the Caido service and possibly other local services could be disrupted by malicious commands. Since Caido is a security auditing toolkit, its compromise could erode trust in security processes and lead to cascading security failures. The requirement for user interaction (visiting a malicious website) means that phishing or social engineering campaigns could be used to trigger the attack. European organizations with security teams or developers using Caido locally are at risk, especially if they do not promptly upgrade to the patched version. The vulnerability also raises concerns about supply chain security and the security of internal security tools, which are critical for maintaining compliance with European data protection regulations such as GDPR.

1. Immediate upgrade to Caido version 0.48.0 or later, which includes patches for DNS rebinding protections. 2. Implement network-level protections to restrict access to local Caido instances, such as firewall rules or local host binding to prevent external access. 3. Educate users and security teams about the risks of visiting untrusted websites while running local security tools. 4. Employ browser security features or extensions that mitigate DNS rebinding attacks, such as enforcing strict origin policies or disabling DNS rebinding where possible. 5. Monitor network traffic and logs for suspicious DNS rebinding patterns or unauthorized access attempts to local services. 6. For organizations deploying Caido in shared or multi-user environments, enforce strict authentication and session management controls to reduce the risk of hijacking. 7. Conduct regular security audits of internal tools to ensure they are up to date and configured securely, including validation of origin headers and use of anti-rebinding techniques like checking the Host header or implementing token-based authentication flows. 8. Consider isolating security auditing tools in sandboxed or virtualized environments to limit the impact of potential compromises.