CVE-2025-29448: 
PHP vulnerability analysis and mitigation

A business logic vulnerability has been identified in Easy Appointments v1.5.1, tracked as CVE-2025-29448. The vulnerability was discovered and published to the CVE List on May 7, 2025. This security flaw allows unauthenticated attackers to cause a Denial of Service (DoS) condition in the application's booking system (NVD, GitHub).

The vulnerability exists in the appointment booking functionality where the application fails to properly validate the enddatetime parameter in booking requests. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wiz).

When successfully exploited, this vulnerability allows attackers to create appointments with excessively long durations, effectively blocking all future booking availability in the system. This results in a denial of service condition that prevents legitimate users from making new appointments (GitHub).

A fix has been implemented in commit 74633b60f28bdef3cc9f905c0599cef121fee32b to the Easy Appointments repository. Organizations using Easy!Appointments v1.5.1 should update to the patched version to prevent this vulnerability from being exploited (GitHub).