Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64067

CVE-2025-64067: Primakon Pi Portal Auth Bypass Vulnerability

CVE-2025-64067 is an authorization bypass flaw in Primakon Pi Portal 1.0.18 that allows attackers to access unauthorized data through IDOR and filter manipulation. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-64067 Overview

CVE-2025-64067 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in Primakon Pi Portal 1.0.18, part of the Primakon Project Contract Management product line. API endpoints that retrieve object-specific or filtered data, such as user profiles and project records, fail to enforce server-side authorization checks. Attackers can manipulate identifier parameters like user_id or project_id to access records belonging to other users. Attackers can also omit filtering parameters entirely, causing endpoints to return the full unfiltered dataset across all tenants. The flaw exposes sensitive personal and organizational information without requiring authentication.

Critical Impact

Unauthenticated network attackers can enumerate and exfiltrate arbitrary user, project, and contract records by tampering with API request parameters.

Affected Products

  • Primakon Project Contract Management 1.0.18
  • Primakon Pi Portal (cpe:2.3:a:primakon:project_contract_management:1.0.18)
  • API endpoints returning object-scoped or filtered datasets

Discovery Timeline

  • 2025-11-25 - CVE-2025-64067 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64067

Vulnerability Analysis

The vulnerability resides in API endpoints that return object-scoped data in Primakon Pi Portal 1.0.18. The server accepts client-supplied identifiers such as user_id and project_id without validating that the authenticated session owns or has permission to view the referenced object. Attackers issue direct HTTP requests to these endpoints and increment or substitute identifiers to enumerate records belonging to other tenants. A second exploitation path involves omitting the filtering parameter entirely from the request. When the endpoint receives no filter, it returns the complete unfiltered dataset containing every stored record across all users. The disclosed data includes personally identifiable information (PII) and organizational project records, resulting in confidentiality loss without impact to integrity or availability.

Root Cause

The root cause is missing server-side authorization enforcement, classified as [CWE-639] Authorization Bypass Through User-Controlled Key. The application trusts client-supplied object identifiers and query filters instead of scoping queries to the authenticated principal. No ownership or role check occurs before the database layer returns the requested rows.

Attack Vector

Exploitation requires only network access to the API. An attacker intercepts a legitimate request, modifies the user_id, project_id, or similar parameter to a target value, and replays the request. Alternatively, the attacker removes the filtering parameter from the query string or JSON body, causing the endpoint to return all records. No user interaction, elevated privileges, or authentication bypass is required beyond the ability to reach the API. Full technical details are documented in the GitHub CVE-2025-64067 advisory.

Detection Methods for CVE-2025-64067

Indicators of Compromise

  • Sequential or non-sequential enumeration of user_id, project_id, or similar identifier values from a single source IP address
  • API requests missing expected filter parameters that return abnormally large response payloads
  • Unusual volume of successful 200 OK responses to object-retrieval endpoints from a single session token
  • Access patterns where one authenticated user retrieves records associated with many distinct tenant identifiers

Detection Strategies

  • Deploy web application firewall (WAF) rules that flag requests where the user_id in the URL or body does not match the authenticated session identity
  • Implement API gateway logging that correlates authenticated user identity with the object identifiers requested
  • Baseline normal response sizes for filtered endpoints and alert on outliers indicating unfiltered dataset returns
  • Review application logs for repeated requests to the same endpoint with only the identifier value changing

Monitoring Recommendations

  • Ingest Primakon Pi Portal API access logs into a centralized SIEM for correlation with identity telemetry
  • Alert on any HTTP request to object-retrieval endpoints that lacks the expected filter parameter
  • Monitor for high-cardinality identifier access patterns indicative of enumeration attacks

How to Mitigate CVE-2025-64067

Immediate Actions Required

  • Contact Primakon to obtain a patched release above version 1.0.18 addressing the missing authorization checks
  • Restrict network access to the Pi Portal API using IP allowlists or VPN gateways until a fix is deployed
  • Audit application logs for evidence of prior IDOR exploitation and identifier enumeration
  • Rotate credentials and notify affected users if unauthorized data access is confirmed

Patch Information

No vendor advisory URL is currently published in the NVD record. Refer to the Primakon product page and contact the vendor directly for an official fixed version. Additional technical details are available in the public CVE-2025-64067 write-up.

Workarounds

  • Deploy a reverse proxy or API gateway that rewrites or validates user_id parameters against the authenticated session before forwarding requests
  • Enforce mandatory filter parameters at the gateway layer and reject requests that omit them
  • Apply rate limiting on object-retrieval endpoints to slow enumeration attempts
  • Restrict Pi Portal exposure to authenticated corporate networks only until the vendor issues a patch
bash
# Example NGINX rule to reject requests missing the required filter parameter
location /api/projects {
    if ($arg_project_id = "") {
        return 400 "Missing required filter parameter";
    }
    proxy_pass http://pi_portal_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.