CVE-2025-53021 Overview
CVE-2025-53021 is a session fixation vulnerability affecting Moodle 3.x through version 3.11.18. The flaw resides in the OAuth2 login flow, where the sesskey parameter can be obtained without authentication and reused. An attacker who tricks a victim into completing the OAuth2 login using an attacker-controlled sesskey can link the victim's authenticated session to the attacker, resulting in account takeover. The Moodle 3.11.x branch reached end of security support on 11 December 2023, meaning affected versions are no longer maintained. The vulnerability is classified under [CWE-384: Session Fixation].
Critical Impact
Successful exploitation results in full account takeover of Moodle users authenticating via OAuth2, on a product line that no longer receives security patches from the vendor.
Affected Products
- Moodle 3.x through 3.11.18
- Moodle deployments using the OAuth2 authentication flow
- Unsupported Moodle 3.11.x branch (security support ended 11 December 2023)
Discovery Timeline
- 2025-06-24 - CVE-2025-53021 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-53021
Vulnerability Analysis
The vulnerability arises in how Moodle 3.x handles the sesskey value during the OAuth2 authentication flow. The sesskey is a session-bound token intended to protect against cross-site request forgery and to bind a user's activity to their session. In affected Moodle versions, an attacker can retrieve a valid sesskey without authenticating. The attacker then crafts an OAuth2 login link that reuses this sesskey and delivers it to a victim. When the victim completes the OAuth2 flow, their identity becomes bound to the attacker's pre-established session. The attacker, holding the original sesskey, gains authenticated access to the victim's account. Exploitation requires user interaction and a plausible social-engineering vector, such as a phishing link.
Root Cause
Moodle's OAuth2 login handler fails to regenerate the session identifier and sesskey after successful authentication. Any token issued before authentication is accepted after the identity assertion completes. This violates the fundamental session management requirement to rotate session tokens across privilege boundaries, as codified in [CWE-384].
Attack Vector
The attack proceeds over the network and requires victim interaction. An unauthenticated attacker retrieves a sesskey from the target Moodle instance, embeds it into an OAuth2 login URL, and delivers the URL to the victim. Once the victim authenticates through the OAuth2 provider, the attacker's pre-obtained session becomes authorized as the victim. Because Moodle 3.11.x is no longer supported, no vendor patch is available for this branch. Technical details of the OAuth2 abuse are documented in the Rentry Moodle OAuth2 CVE writeup.
Detection Methods for CVE-2025-53021
Indicators of Compromise
- Multiple authentication events for the same account originating from distinct IP addresses or user agents within a short window
- OAuth2 callback requests where the associated sesskey value was observed in prior unauthenticated traffic
- Session identifiers that persist unchanged across the pre-authentication and post-authentication phases of the OAuth2 flow
Detection Strategies
- Monitor Moodle web server logs for sesskey values reused across separate client sessions or IP addresses
- Correlate OAuth2 callback events with the originating session cookie to identify session identifier reuse across authentication boundaries
- Alert on account activity immediately following an OAuth2 login when the source IP differs from the IP that initiated the login
Monitoring Recommendations
- Enable verbose Moodle authentication logging and forward events to a centralized log platform for correlation
- Track failed and successful OAuth2 logins per account and flag anomalous geographic or device shifts
- Review privileged account activity, especially for teacher and administrator roles, for unexpected session persistence
How to Mitigate CVE-2025-53021
Immediate Actions Required
- Upgrade off Moodle 3.x to a currently supported Moodle release line, as 3.11.x has been end-of-life since 11 December 2023
- Disable the OAuth2 authentication plugin on affected instances until migration to a supported version is complete
- Force logout of all active sessions and invalidate existing sesskey values after remediation
Patch Information
No security patch is available for Moodle 3.11.x because the branch is no longer supported by the maintainer. Administrators must migrate to a supported major version. Refer to the Moodle 3.11.18 release notes and the MoodleDev release schedule for version support timelines.
Workarounds
- Disable OAuth2 login providers and require local authentication with strong passwords and multi-factor authentication until migration is complete
- Place the Moodle instance behind a reverse proxy or web application firewall that strips or rotates suspicious sesskey parameters on unauthenticated requests
- Restrict access to the Moodle instance to trusted networks or VPN users while remediation is planned
# Example: temporarily disable OAuth2 authentication in Moodle
# From the Moodle admin UI: Site administration > Plugins > Authentication > Manage authentication
# Disable the "OAuth 2" row, then flush caches:
php admin/cli/purge_caches.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

