{"id":"CVE-2025-54955","details":"OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.","modified":"2026-07-08T07:32:07.905993556Z","published":"2025-08-02T00:00:00Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"Enterprise Edition"},{"fixed":"6.10.3"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54955.json","cwe_ids":["CWE-362"]},"references":[{"type":"WEB","url":"https://docs.opennebula.io/6.10/intro_release_notes/release_notes_enterprise/resolved_issues_6103.html"},{"type":"WEB","url":"https://github.com/OpenNebula/one/releases/tag/release-7.0.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54955.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54955"},{"type":"FIX","url":"https://github.com/OpenNebula/one/commit/81058d9705e7ac619d294423de28b76d88f613b6"},{"type":"PACKAGE","url":"https://github.com/OpenNebula/one"},{"type":"PACKAGE","url":"https://github.com/Stolichnayer/OpenNebula-Account-Takeover"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opennebula/one","events":[{"introduced":"0"},{"fixed":"4610231fa77c9625512002705b3f541e148eea6d"}],"database_specific":{"extracted_events":[{"introduced":"Community Edition"},{"fixed":"7.0.0"}],"source":"AFFECTED_FIELD"}}],"versions":["release-6.99.90","release-6.99.85","release-6.99.80","release-6.10.0","release-6.8.0","release-6.9.80","release-6.7.80","release-6.6.0","release-6.5.90","release-6.5.80","release-6.2.0","release-6.3.85","release-6.3.80","release-6.1.90","release-6.1.85","release-6.1.80","release-6.0.0","release-5.13.90","release-5.13.85","release-5.13.80","release-5.11.90","release-5.11.85","release-5.11.8","release-5.11.80","release-5.10.0","release-5.9.90","release-5.9.80","release-5.8.0","release-5.7.90","release-5.7.85","release-5.7.80","release-5.6.0","release-5.5.90","release-5.6-beta1","release-5.5.80","release-5.4.0","release-5.4-rc1","release-5.4-beta2","release-5.4-beta1","release-5.2.0","release-5.2-beta1","release-5.0.1","release-5.0","release-5.0-rc1","release-5.0-beta2","release-5.0-beta1","release-4.14.0","release-4.8-beta2","release-4.14-beta2","release-4.14-beta1","release-4.12.0","release-4.12","release-4.12-beta1","release-4.8","release-4.8-beta1","release-4.6","release-4.6-rc1","release-4.6-beta1","release-4.4-beta1","release-4.0","release-4.0-rc","release-4.0-rc2","release-4.0-beta1","release-3.8","release-3.8-beta1","release-3.4-s0","release-3.2-rc1","release-3.2-s1","release-3.0-beta2","release-2.9.80"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54955.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}