CVE-2025-54573 is a medium-severity vulnerability affecting the open-source computer vision annotation tool CVAT (Computer Vision Annotation Tool) versions 1.1.0 through 2.41.0. The vulnerability arises from improper authentication due to the lack of enforced email verification when using Basic HTTP Authentication. This flaw allows users to create accounts with fake or invalid email addresses and gain access as if they were verified users. Consequently, the system is susceptible to automated bot signups and potentially unauthorized usage. The vulnerability is classified under CWE-287 (Improper Authentication), indicating that the system fails to properly verify user identity before granting access. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impact limited to availability (A:L) without confidentiality or integrity impact. The main impact is potential denial of service or resource exhaustion due to bot signups rather than direct data compromise. CVAT 2.42.0 and later versions have addressed this issue by enforcing email verification. Enterprise customers have a workaround by disabling user registration to mitigate the risk until they can upgrade. There are no known exploits in the wild at this time.

For European organizations using CVAT for computer vision annotation tasks, this vulnerability could lead to unauthorized account creation and abuse of system resources. While the flaw does not directly compromise confidentiality or data integrity, the ability for attackers or bots to create numerous fake accounts can degrade service availability, potentially disrupting annotation workflows critical for AI model training and development. Organizations relying on CVAT in sectors such as automotive, healthcare, or manufacturing could face operational delays or increased costs due to resource exhaustion or the need to manually manage fraudulent accounts. Furthermore, the presence of fake accounts could skew user activity metrics or audit logs, complicating incident response and compliance efforts under regulations like GDPR. Since CVAT is often deployed in research and enterprise environments, the risk is more operational than data breach-related but still significant for maintaining service reliability and trustworthiness.

European organizations should promptly upgrade CVAT installations to version 2.42.0 or later to ensure email verification is enforced. Until upgrades are feasible, disabling user self-registration is a critical interim measure, especially for enterprise deployments. Implementing additional rate limiting and CAPTCHA challenges on registration endpoints can reduce bot signup attempts. Monitoring account creation logs for unusual spikes or patterns indicative of automated signups will help detect abuse early. Integrating CVAT authentication with centralized identity providers (e.g., SAML, OAuth) can further reduce reliance on basic authentication and improve user verification. Regularly reviewing and cleaning up inactive or suspicious accounts will maintain system hygiene. Finally, organizations should ensure that their incident response and user management policies account for this vulnerability to quickly respond to any exploitation attempts.