CVE-2025-64105 Overview
CVE-2025-64105 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in FOSSBilling, an open-source billing and client management system. The flaw affects versions 0.6.21 through 0.7.2 and resides in the support ticket creation workflow. An authenticated client can manipulate the rel_id parameter when rel_type=order to associate a new support ticket with another client's order. The ticketCreateForClient() method failed to verify order ownership for non-upgrade tasks. The issue is fixed in version 0.8.0.
Critical Impact
Authenticated clients can mislead staff into acting on another client's order, including cancellation or upgrade requests, by linking tickets to orders they do not own.
Affected Products
- FOSSBilling version 0.6.21
- FOSSBilling versions 0.6.22 through 0.7.1
- FOSSBilling version 0.7.2
Discovery Timeline
- 2026-06-23 - CVE-2025-64105 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2025-64105
Vulnerability Analysis
FOSSBilling allows authenticated clients to open support tickets that reference related entities, such as orders, via the rel_type and rel_id request parameters. When rel_type=order, the application should verify that the referenced order belongs to the requesting client. The ticketCreateForClient() method skipped this ownership check for non-upgrade tasks. As a result, an attacker can craft a request specifying an arbitrary rel_id to associate the ticket with another client's order.
The vulnerability impacts integrity and limited confidentiality. Staff reviewing the ticket may perform actions, such as order cancellation or upgrades, on the wrong account. Order identifiers may also surface in the ticket context. No automated cron task processes these requests, so staff intervention is required to complete any malicious workflow.
Root Cause
The root cause is missing authorization on the rel_id parameter during ticket creation. The application trusts client-supplied object references without validating that the authenticated user owns the referenced order. This is a textbook IDOR pattern catalogued as CWE-639: Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation requires an authenticated client account on the target FOSSBilling instance. The attacker submits a ticket creation request with rel_type=order and a rel_id corresponding to a victim's order. The server accepts the request, creates the ticket, and surfaces it to staff. If staff act on the ticket without verifying ownership, the attacker achieves unauthorized changes to the victim's order. See the GitHub Security Advisory GHSA-rcr8-p92p-9887 for technical details.
Detection Methods for CVE-2025-64105
Indicators of Compromise
- Support tickets where the rel_id references an order owned by a different client than the ticket creator.
- Multiple ticket creation requests from one client account referencing varied order identifiers in short succession.
- Cancellation or upgrade requests appearing in tickets that do not match the requester's order history.
Detection Strategies
- Audit the tickets table to identify rows where the ticket owner does not match the owner of the linked order.
- Review web server access logs for POST requests to ticket creation endpoints containing rel_type=order parameters.
- Correlate staff actions on orders with the originating ticket's client to detect mismatched authorizations.
Monitoring Recommendations
- Log all ticket creation events with the authenticated client ID, rel_type, and rel_id values for forensic review.
- Alert staff when a ticket references an order whose owner differs from the ticket creator before any action is taken.
- Track historical ticket-to-order relationships to identify retroactive abuse of the IDOR flaw.
How to Mitigate CVE-2025-64105
Immediate Actions Required
- Upgrade FOSSBilling to version 0.8.0 or later, which contains the ownership validation fix.
- Review tickets created on versions 0.6.21 through 0.7.2 for mismatched order ownership before staff action.
- Restrict staff workflows to require explicit verification of order ownership before processing cancel or upgrade requests.
Patch Information
The maintainers fixed the issue in FOSSBilling release 0.8.0. The patch adds an ownership check in ticketCreateForClient() so that rel_id is validated against the authenticated client when rel_type=order. Administrators running affected versions should plan an upgrade as the primary remediation.
Workarounds
- Train support staff to confirm that a ticket's linked order belongs to the requesting client before performing cancellations or upgrades.
- Implement a manual review step in the ticket queue that flags tickets whose rel_id order owner does not match the ticket submitter.
- Temporarily disable client self-service ticket creation for rel_type=order workflows until the upgrade is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

