OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (oeHttp/oeHttpRequest) disables SSL/TLS certificate verification by default (verify: false), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue.
{
"cwe_ids": [
"CWE-295"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67752.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "7.0.4"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}