CVE-2025-65781 is a vulnerability discovered in Wekan, an open-source kanban board system widely used for task and project management. The issue exists in the attachment upload API, where the Authorization header's bearer token is incorrectly interpreted as a userId rather than a token for authentication. This misinterpretation causes the server to enter a non-terminating loop when processing the request body for any non-empty bearer token, effectively creating an application-layer denial of service (DoS) condition. Additionally, because the bearer token is treated as a userId without proper validation, attackers can perform latent identity spoofing, potentially impersonating other users or escalating privileges within the application. The vulnerability affects all versions up to 18.15 and was addressed in version 18.16. The CVSS v3.1 base score is 8.2, reflecting high severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and high availability impact (A:H). No known exploits have been reported in the wild, but the flaw's nature allows trivial exploitation remotely. The underlying weaknesses correspond to CWE-287 (Improper Authentication) and CWE-400 (Uncontrolled Resource Consumption), indicating both authentication bypass and resource exhaustion issues. This vulnerability can disrupt service availability and compromise user identity integrity within Wekan deployments.

For European organizations relying on Wekan for project management and collaboration, this vulnerability poses a significant risk of service disruption due to application-layer DoS attacks. The non-terminating request processing can exhaust server resources, leading to degraded performance or complete unavailability of the kanban board system, impacting productivity and operational continuity. Furthermore, the latent identity spoofing risk threatens the integrity of user actions and data, potentially allowing unauthorized access or manipulation of project information. This can undermine trust in the system and lead to data integrity issues. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and government, may face additional regulatory and reputational consequences if this vulnerability is exploited. The ease of exploitation without authentication or user interaction increases the threat level, making it accessible to a wide range of attackers. While no active exploits are currently known, the vulnerability's characteristics warrant immediate attention to prevent potential attacks.

1. Upgrade Wekan installations to version 18.16 or later, where this vulnerability is fixed. 2. If immediate upgrade is not possible, implement strict API gateway or web application firewall (WAF) rules to detect and block malformed or suspicious Authorization headers, especially those with non-empty bearer tokens that do not conform to expected formats. 3. Employ rate limiting on the attachment upload API endpoint to mitigate potential DoS attempts by limiting the number of requests per client IP or user. 4. Monitor application logs for unusual patterns of repeated or long-running attachment upload requests that may indicate exploitation attempts. 5. Conduct regular security audits and penetration testing focused on authentication mechanisms and resource consumption to identify similar issues proactively. 6. Educate development teams on secure handling of authentication tokens and proper validation to prevent similar logic flaws. 7. Isolate critical Wekan instances behind VPNs or internal networks where feasible to reduce exposure to external attackers. 8. Maintain up-to-date backups of Wekan data to ensure rapid recovery in case of service disruption.