CVE-2025-64067 Overview
CVE-2025-64067 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in Primakon Pi Portal 1.0.18, part of the Primakon Project Contract Management product line. API endpoints that retrieve object-specific or filtered data, such as user profiles and project records, fail to enforce server-side authorization checks. Attackers can manipulate identifier parameters like user_id or project_id to access records belonging to other users. Attackers can also omit filtering parameters entirely, causing endpoints to return the full unfiltered dataset across all tenants. The flaw exposes sensitive personal and organizational information without requiring authentication.
Critical Impact
Unauthenticated network attackers can enumerate and exfiltrate arbitrary user, project, and contract records by tampering with API request parameters.
Affected Products
- Primakon Project Contract Management 1.0.18
- Primakon Pi Portal (cpe:2.3:a:primakon:project_contract_management:1.0.18)
- API endpoints returning object-scoped or filtered datasets
Discovery Timeline
- 2025-11-25 - CVE-2025-64067 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64067
Vulnerability Analysis
The vulnerability resides in API endpoints that return object-scoped data in Primakon Pi Portal 1.0.18. The server accepts client-supplied identifiers such as user_id and project_id without validating that the authenticated session owns or has permission to view the referenced object. Attackers issue direct HTTP requests to these endpoints and increment or substitute identifiers to enumerate records belonging to other tenants. A second exploitation path involves omitting the filtering parameter entirely from the request. When the endpoint receives no filter, it returns the complete unfiltered dataset containing every stored record across all users. The disclosed data includes personally identifiable information (PII) and organizational project records, resulting in confidentiality loss without impact to integrity or availability.
Root Cause
The root cause is missing server-side authorization enforcement, classified as [CWE-639] Authorization Bypass Through User-Controlled Key. The application trusts client-supplied object identifiers and query filters instead of scoping queries to the authenticated principal. No ownership or role check occurs before the database layer returns the requested rows.
Attack Vector
Exploitation requires only network access to the API. An attacker intercepts a legitimate request, modifies the user_id, project_id, or similar parameter to a target value, and replays the request. Alternatively, the attacker removes the filtering parameter from the query string or JSON body, causing the endpoint to return all records. No user interaction, elevated privileges, or authentication bypass is required beyond the ability to reach the API. Full technical details are documented in the GitHub CVE-2025-64067 advisory.
Detection Methods for CVE-2025-64067
Indicators of Compromise
- Sequential or non-sequential enumeration of user_id, project_id, or similar identifier values from a single source IP address
- API requests missing expected filter parameters that return abnormally large response payloads
- Unusual volume of successful 200 OK responses to object-retrieval endpoints from a single session token
- Access patterns where one authenticated user retrieves records associated with many distinct tenant identifiers
Detection Strategies
- Deploy web application firewall (WAF) rules that flag requests where the user_id in the URL or body does not match the authenticated session identity
- Implement API gateway logging that correlates authenticated user identity with the object identifiers requested
- Baseline normal response sizes for filtered endpoints and alert on outliers indicating unfiltered dataset returns
- Review application logs for repeated requests to the same endpoint with only the identifier value changing
Monitoring Recommendations
- Ingest Primakon Pi Portal API access logs into a centralized SIEM for correlation with identity telemetry
- Alert on any HTTP request to object-retrieval endpoints that lacks the expected filter parameter
- Monitor for high-cardinality identifier access patterns indicative of enumeration attacks
How to Mitigate CVE-2025-64067
Immediate Actions Required
- Contact Primakon to obtain a patched release above version 1.0.18 addressing the missing authorization checks
- Restrict network access to the Pi Portal API using IP allowlists or VPN gateways until a fix is deployed
- Audit application logs for evidence of prior IDOR exploitation and identifier enumeration
- Rotate credentials and notify affected users if unauthorized data access is confirmed
Patch Information
No vendor advisory URL is currently published in the NVD record. Refer to the Primakon product page and contact the vendor directly for an official fixed version. Additional technical details are available in the public CVE-2025-64067 write-up.
Workarounds
- Deploy a reverse proxy or API gateway that rewrites or validates user_id parameters against the authenticated session before forwarding requests
- Enforce mandatory filter parameters at the gateway layer and reject requests that omit them
- Apply rate limiting on object-retrieval endpoints to slow enumeration attempts
- Restrict Pi Portal exposure to authenticated corporate networks only until the vendor issues a patch
# Example NGINX rule to reject requests missing the required filter parameter
location /api/projects {
if ($arg_project_id = "") {
return 400 "Missing required filter parameter";
}
proxy_pass http://pi_portal_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

