Revive Adserver Security Advisory REVIVE-SA-2025-005
- Advisory ID: REVIVE-SA-2025-005
- Date: 2025-11-26
- Risk Levels: Medium
- Applications affected: Revive Adserver
- Versions affected: <= 6.0.3
- Versions not affected: >= 6.0.4
- Website: https://www.revive-adserver.com/
Vulnerability 1: Incomplete List of Disallowed Inputs
- Vulnerability type: Incomplete List of Disallowed Inputs [CWE-184]
- CVE-ID: CVE-2025-55129
- Risk level: Medium
- CVSS Base Score: 5.4
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Description
HackerOne community member Kassem S. (kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne community members, such as itz_hari_ and khoof.
Details
Username validation was historically allowing full UTF-8 usernames. That was supposed to be a feature, but it could be used maliciously to generate usernames visually identical to existing ones, using various techniques, such as homoglyph characters, zero-width spaces, RTL override, and potentially others. An attacker with user creation permissions could specifically craft a username and trick an administrator user to grant other permissions to it rather than the legitimate user.
Following the report, now only usernames with a limited character set (variant of POSIX.1-2017) are allowed.
References
Solution
We recommend updating to the most recent 6.0.4 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory.
Contact Information
The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>.
Please review https://www.revive-adserver.com/security/ before doing so. We only accept security reports through HackerOne.