CVE-2025-47776: 
PHP vulnerability analysis and mitigation

A vulnerability in MantisBT (CVE-2025-47776) was discovered affecting versions up to 2.27.1, disclosed on November 1, 2025. The vulnerability stems from an authentication bypass issue due to PHP type juggling, specifically in instances configured to use the MD5 login method. The flaw exists due to an incorrect use of loose comparison () instead of strict comparison (=) in the authentication code (GitHub Advisory).

The vulnerability occurs due to PHP type juggling in the authentication mechanism where certain MD5 hashes are interpreted as numbers in scientific notation. The issue specifically affects the authdoespasswordmatch function in core/authenticationapi.php, where a loose comparison operator () was used instead of the strict comparison operator (=). This allows for type juggling vulnerabilities when comparing password hashes, particularly affecting hashes that match the regex pattern ^0+[Ee][0-9]+$ (GitHub Commit, Miggo).

The vulnerability allows an attacker who knows a victim's username to bypass authentication for accounts with password hashes that evaluate to zero. This can be achieved without knowledge of the actual password by using any password that produces a hash evaluating to zero. The attack bypasses the maximum failed login count protection ($gmaxfailedlogincount) as no password bruteforcing is required (GitHub Advisory).

The vulnerability has been patched in MantisBT version 2.27.2. For systems that cannot immediately update, a workaround is available by checking the database for vulnerable accounts and changing their passwords. For MySQL databases, administrators can identify vulnerable accounts using the query: SELECT username, email FROM mantisusertable WHERE password REGEXP '^0+[Ee][0-9]+$' (GitHub Advisory).