Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

Project:

Mail Login

Date:

2025-July-09

Security risk:

Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<3.2.0 || >=4.0.0 <4.2.0

CVE IDs:

CVE-2025-7393

Description:

This module enables users to login by email address with the minimal configurations.

The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.

Solution:

Install the latest version:

If you use the mail_login 3.x, upgrade to Mail Login 3.2.0
If you use the mail_login 4.x, upgrade to Mail Login 4.2.0

Reported By:

Ryugo Kinoshita (dc-kinoshita)

Fixed By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Mohammad AlQanneh (mqanneh)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community