CVE-2025-49004 is an authentication bypass vulnerability classified under CWE-290 affecting the Caido web security auditing toolkit versions prior to 0.48.0. The root cause of this vulnerability is the lack of protection against DNS rebinding attacks. DNS rebinding allows an attacker-controlled domain to circumvent the same-origin policy by manipulating DNS responses, effectively enabling malicious websites to interact with local network services or localhost interfaces. In this case, an attacker hosting a malicious website can exploit this flaw to hijack the authentication flow of a locally running Caido instance. During the initial setup of Caido, the attacker can achieve remote code execution by leveraging this hijack, effectively gaining control over the victim’s machine or the environment where Caido is running. Even after Caido is configured, the attacker can still initiate the authentication flow through DNS rebinding; however, this requires the victim to authorize the request on dashboard.caido.io, adding a layer of user interaction but still posing a significant risk. The vulnerability is remotely exploitable without prior authentication but requires user interaction (authorization) in some scenarios. The CVSS v3.1 base score is 7.5 (high severity), reflecting the high impact on confidentiality, integrity, and availability, combined with a moderately high attack complexity and requirement for user interaction. No known exploits are currently reported in the wild, but the potential for remote code execution makes this a critical concern for users of affected versions. The recommended remediation is to upgrade Caido to version 0.48.0 or later, where protections against DNS rebinding have been implemented to mitigate this attack vector.

For European organizations using Caido versions prior to 0.48.0, this vulnerability presents a significant risk. Successful exploitation can lead to remote code execution on systems running Caido, potentially compromising sensitive security audit data, internal network configurations, and other critical assets. Since Caido is a security auditing toolkit, it is likely deployed in environments with elevated privileges or access to sensitive infrastructure, increasing the severity of impact. Attackers could leverage this to gain footholds within corporate networks, escalate privileges, or move laterally. The requirement for user interaction during post-setup exploitation reduces risk somewhat but does not eliminate it, especially in environments where users may be tricked into authorizing malicious requests. The vulnerability could disrupt security auditing processes, delay vulnerability assessments, and undermine trust in security tools. Additionally, organizations in sectors with strict compliance requirements (e.g., finance, healthcare, critical infrastructure) may face regulatory consequences if this vulnerability leads to data breaches or operational disruptions.

Immediately upgrade all Caido instances to version 0.48.0 or later to ensure the DNS rebinding protections are in place. Implement network-level protections to restrict DNS rebinding attacks, such as configuring DNS resolvers to prevent rapid IP address changes for the same domain or using DNS pinning techniques. Restrict access to Caido’s local web interface by binding it to localhost or specific trusted IP addresses and using firewall rules to limit exposure. Educate users about the risks of authorizing unexpected requests on dashboard.caido.io, emphasizing caution when interacting with unknown or suspicious websites. Monitor network traffic for unusual DNS queries or rebinding patterns that could indicate exploitation attempts. In environments where upgrading immediately is not feasible, consider isolating Caido instances in segmented network zones with strict access controls to minimize exposure. Regularly audit and review security tools and their configurations to ensure they are up to date and hardened against known attack vectors.