Platform
codeigniter
Component
opensourcepos
Fixed in
3.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Open Source Point of Sale versions 3.4.0 through 3.4.1. This flaw arises from the explicit disabling of CSRF protection, allowing unauthorized actions to be performed on behalf of authenticated administrators. Successful exploitation could lead to unauthorized modifications of system configurations or sensitive data. The vulnerability is resolved in version 3.4.2.
The core of this vulnerability lies in the deliberate disabling of CSRF protection within the Open Source Point of Sale application. This means that an attacker can craft a malicious web page that, when visited by a logged-in administrator, will automatically trigger actions as if the administrator initiated them. For example, an attacker could modify product prices, create fraudulent users with administrative privileges, or even delete critical data. The blast radius is significant, as a single compromised administrator account can grant an attacker control over the entire point-of-sale system. This vulnerability shares similarities with other CSRF exploits where inadequate input validation and authentication bypasses allow for unauthorized actions.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation given the explicit disabling of CSRF protection suggests a medium probability of exploitation. The vulnerability was publicly disclosed on December 17, 2025, and the vendor has released a patch.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68434 is to immediately upgrade Open Source Point of Sale to version 3.4.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, review and restrict administrator access privileges to minimize the potential impact of a successful attack. Regularly audit user permissions and disable unnecessary accounts. While not a direct fix, enforcing strong password policies and multi-factor authentication can reduce the likelihood of an administrator account being compromised in the first place.
Update Open Source Point of Sale to version 3.4.2 or higher. This version fixes the CSRF vulnerability by re-enabling the CSRF filter in the application's configuration. If you cannot update immediately, you can manually enable the CSRF filter in `app/Config/Filters.php` by uncommenting the protection line, although this may cause issues in the sales module.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68434 is a Cross-Site Request Forgery (CSRF) vulnerability in Open Source Point of Sale versions 3.4.0–<3.4.2 where CSRF protection is explicitly disabled, allowing attackers to perform actions as an administrator.
You are affected if you are running Open Source Point of Sale versions 3.4.0 through 3.4.1. Verify your version and upgrade immediately.
Upgrade to version 3.4.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the official Open Source Point of Sale security advisory for detailed information and updates: [https://opensourcepos.org/security/advisories/](https://opensourcepos.org/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.