Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Maven

GHSA-vpxm-cr3r-pjp9

General OpenMRS Security Advisory, January 2025: Penetration Testing Results and Patches

Published
Jan 30, 2025
Updated
Jan 30, 2025
Affected
6 pkgs
Patched
6 / 6
Exploits
None indexed

Blast Radius

6 pkgs affected
org.openmrs:openmrsorg.openmrs.module:legacyuiorg.openmrs.module:idgenorg.openmrs.module:addresshierarchyorg.openmrs.module:attachmentsorg.openmrs.module:patientflags

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

Impact

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.

This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

Vulnerability Details

  • The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
  • No vulnerabilities were found in the O3 frontend esm modules.
  • The Letter of Attestation from the penetration test is available here for your reference.
  • After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
  • The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.

Patches

Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:

  • Platform 2.6.11+
    • How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.properties file.
    • Notes:
      • The newly released Platform 2.7 also includes the fixes. Release Notes and more download options here.
      • Platform 2.6.8+ has most of the fixes, but these are broken if you don't use SSL, so Platform 2.6.11 or higher is preferred.
      • For those still on Platform 2.5+ such as the Bahmni ecosystem, the new 2.5.14 release includes the patch. Bahmni note: The upcoming patch release for both Bahmni Lite and Bahmni Standard will incorporate these security fixes.
  • Legacy UI OMOD 1.21.0+ (here)
  • ID Gen OMOD 4.14.0+ (here)
  • Address Hierarchy OMOD 2.19.0+ (here)
  • Attachments OMOD 3.6.0+ (here)
  • Patient Flags OMOD 3.0.8+ (here)

Workarounds

There are no practical workarounds to fix or remediate the vulnerabilities without upgrading. Technically, you could remove the affected OMODs, but this would badly degrade the system's functionality.

Thank you to our amazing Security contributors!

Thank you to security firm UnderDefense, and to the OpenMRS Security Group contributors for their patch support - specific thanks to Daniel Kayiwa, Samuel Lubwama, Ian Bacher, Rafal Korytkowski, and Michael Seaton.

Affected Packages

6 total 6 fixed
EcosystemPackageVulnerable rangeFix
Mavenorg.openmrs:openmrsall versions2.6.11
Mavenorg.openmrs.module:legacyuiall versions1.21.0
Mavenorg.openmrs.module:idgenall versions4.14.0
Mavenorg.openmrs.module:addresshierarchyall versions2.19.0
Mavenorg.openmrs.module:attachmentsall versions3.6.0
Mavenorg.openmrs.module:patientflagsall versions3.0.8

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.openmrs:openmrs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update org.openmrs:openmrs to 2.6.11 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vpxm-cr3r-pjp9 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-vpxm-cr3r-pjp9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-vpxm-cr3r-pjp9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact We recently underwent Penetration Testing of OpenMRS by a third-party company. **Vulnerabilities were found, and fixes have been made and released.** We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. **This notice applies to _all_ OpenMRS instances.** The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp. ## Vulnerability Details - The issues uncovered included broken access control (e.g.
O3 Security · Impact-Aware SCA

Is GHSA-vpxm-cr3r-pjp9 in your dependencies?

O3 detects GHSA-vpxm-cr3r-pjp9 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works