CVE-2025-54791 is a medium severity vulnerability affecting OMERO.web, a web-based client and plugin infrastructure used primarily for managing and visualizing microscopy image data. The vulnerability is classified under CWE-209, which involves the generation of error messages containing sensitive information. Specifically, in versions of OMERO.web prior to 5.29.2, when a user attempts to reset their password using the 'Forgot Password' feature, an error occurring during this process can cause the web application to display error messages that inadvertently disclose sensitive user information. This leakage could include details that may help an attacker enumerate valid usernames or gain insights into the system's user base. The vulnerability does not require authentication or user interaction to be exploited and can be triggered remotely over the network (AV:N). The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector indicating no privileges required (PR:N), no user interaction (UI:N), and only confidentiality impact (C:L), with no impact on integrity or availability. The issue has been addressed in OMERO.web version 5.29.2, and a temporary mitigation involves disabling the 'Forgot Password' option by setting the configuration property 'omero.web.show_forgot_password' to false. No known exploits are currently reported in the wild. This vulnerability primarily risks information disclosure that could facilitate further targeted attacks or social engineering by revealing valid user accounts or other sensitive details through error messages during password reset attempts.

For European organizations using OMERO.web, particularly research institutions, universities, and biotech companies that rely on microscopy data management, this vulnerability poses a risk of information disclosure. Attackers could leverage the leaked information to identify valid user accounts, enabling targeted phishing or brute-force attacks. Although the vulnerability does not directly compromise system integrity or availability, the exposure of user information can be a stepping stone for more sophisticated attacks. Given the sensitive nature of research data and intellectual property managed through OMERO.web, even limited information disclosure can have reputational and operational impacts. Additionally, organizations subject to GDPR must consider the implications of exposing personal data, as this could lead to regulatory scrutiny and potential fines if not promptly remediated. The medium severity rating suggests that while the immediate risk is moderate, the potential for escalation exists if attackers combine this information with other vulnerabilities or social engineering tactics.

European organizations should prioritize upgrading OMERO.web to version 5.29.2 or later, where the vulnerability is patched. Until the upgrade can be performed, administrators should disable the 'Forgot Password' feature by setting 'omero.web.show_forgot_password' to false in the configuration to prevent error message leakage. Additionally, organizations should review and harden their user enumeration protections, such as implementing rate limiting on password reset requests and monitoring logs for suspicious activity related to password resets. It is also advisable to conduct user awareness training to mitigate phishing risks that could arise from leaked user information. Regular security assessments and penetration testing focused on web application error handling can help identify similar issues. Finally, ensure that error messages displayed to end users are generic and do not reveal internal system details or user-specific information.