CVE-2025-67752

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67752

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67752.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67752

Aliases

GHSA-2g6h-725p-pqhp

Published

2026-02-25T01:09:20.946Z

Modified

2026-02-27T19:34:16.472719Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OpenEMR Has Disabled SSL Certificate Verification in HTTP Client

Details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (oeHttp/oeHttpRequest) disables SSL/TLS certificate verification by default (verify: false), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-295"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67752.json"
}

References

Affected packages

Git / github.com/openemr/openemr

Affected ranges

Type: GIT
Repo: https://github.com/openemr/openemr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

466c4a32aa633b98a382c35f45fd902688ed83e7

Affected versions

Other

v2_7_2

v2_7_2-rc1

v2_7_2-rc2

v2_7_3-rc1

v2_8_0

v2_8_1

v2_8_2

v2_8_3

v2_9_0

v3_0_0

v3_0_1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67752.json"