Mass Assignment Vulnerability in Snipe-IT Software by Grokability
CVE-2025-15602

8.7HIGH

Key Information:

Vendor

Grokability, Inc.

Status
Snipe-it
Vendor
CVE Published:
6 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-15602?

A significant vulnerability in Snipe-IT affects versions prior to 8.3.7, where sensitive user attributes are inadequately protected against mass assignment attacks. This flaw enables an authenticated, low-privileged user to manipulate API requests, altering restricted fields within another user's account, including that of the Super Admin. By exploiting this vulnerability, an attacker can change the Super Admin's email and trigger a password reset, leading to unauthorized administrative control over the entire Snipe-IT instance.

Affected Version(s)

Snipe-IT 0 < 8.3.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-15602-PoC
Created by Nxvh1337

References

https://github.com/grokability/snipe-it/releases/tag/v8.3.7
release-notespatch
https://snipeitapp.com/
product
https://www.vulncheck.com/advisories/snipe-it-mass-assign...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Noah Heraud
Luca D.
.