Skip to content

PasswordResetRequest - Improvements #2954

New issue
New issue
Open
Open
PasswordResetRequest - Improvements#2954
Assignees
dpfaffenbauercopilot-swe-agent
Labels
enhancement
@dpfaffenbauer

Description

@dpfaffenbauer
dpfaffenbauer
opened on Jan 29, 2026

Problem Statement
The password reset flow contains multiple security-critical weaknesses.

Problem 1 – User Enumeration

Description & Impact
Different responses are returned depending on whether a user exists or not.
This makes account enumeration trivial.

Impact

  • Enables preparation for targeted attacks (credential stuffing, phishing).

CWE

  • CWE-204 – Observable Response Discrepancy

Problem 2 – Weak Reset Token Generation

Description

  • Use of MD5 for token generation.
  • Use of mt_rand() (not a cryptographically secure random number generator).
  • Token is based on predictable components:
    • User ID
    • Login identifier
    • Timestamp

Reference
https://www.php.net/manual/en/function.mt-rand.php

Impact

  • Reset tokens are potentially guessable.
  • Account takeover is possible.

CWE

  • CWE-640 – Weak Password Recovery Mechanism
  • CWE-330 / CWE-338 – Insufficiently Random / Weak PRNG

Problem 3 – No Rate Limiting

Description

  • Password reset can be triggered an unlimited number of times.
  • No limitation per IP, account, or identifier.

Impact

  • User enumeration at scale.
  • Mail bombing / denial of service.
  • Increased likelihood of successful token attacks.

CWE

  • CWE-307 – Improper Restriction of Excessive Authentication Attempts

Problem 4 – Missing Expiration (TTL)

Description

  • Reset token remains valid until it is overwritten or used.
  • No time-based validity window is enforced.

Impact

  • Long-lived reset links.
  • Increased risk in case of token leakage.

CWE

  • CWE-613 – Insufficient Session Expiration

Problem 5 – Reset Token Stored in Plaintext

Description

  • passwordResetHash contains the usable reset token in clear text.
  • In case of SQL injection or database leakage, account takeover is trivial
    (especially when combined with missing TTL and cleanup).

Impact

  • Direct password reset possible via database read access.

CWE

  • CWE-640 – Weak Password Recovery Mechanism

Mitigation (Overall)

  • Always return a uniform response, regardless of user existence.
  • Generate reset tokens using random_bytes().
  • Store only hashed tokens, never raw values.
  • Enforce:
    • Token expiration (TTL)
    • Single-use tokens
    • Rate limiting

@raphael-kat @papillo-solutions

Metadata

Metadata

Assignees

Labels

enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions