Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65672

CVE-2025-65672: Classroomio Auth Bypass Vulnerability

CVE-2025-65672 is an Insecure Direct Object Reference vulnerability in Classroomio 0.1.13 enabling unauthorized access to course settings. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-65672 Overview

CVE-2025-65672 is an Insecure Direct Object Reference (IDOR) vulnerability in classroomio version 0.1.13, an open-source learning management platform. The flaw allows unauthorized users to access course settings related to sharing and invitations. Attackers can manipulate object identifiers in requests to reach resources they should not be authorized to view or modify. The vulnerability is tracked under CWE-639: Authorization Bypass Through User-Controlled Key and is exploitable over the network without authentication or user interaction.

Critical Impact

Unauthorized attackers can access and manipulate course share and invite settings in classroomio 0.1.13, exposing confidential course data and enabling unsanctioned enrollment.

Affected Products

  • classroomio 0.1.13
  • Open-source classroomio learning management platform deployments
  • Self-hosted instances of classroomio with default configuration

Discovery Timeline

  • 2025-11-26 - CVE-2025-65672 published to the National Vulnerability Database
  • 2025-12-05 - Last updated in NVD database

Technical Details for CVE-2025-65672

Vulnerability Analysis

The vulnerability is an Insecure Direct Object Reference (IDOR) affecting the course settings functionality of classroomio 0.1.13. The application exposes object identifiers referencing course share and invite resources without enforcing authorization checks on the requesting user. An attacker can substitute the identifier of another course in requests and gain access to settings they do not own. This represents a broken access control pattern classified under CWE-639. The flaw affects the confidentiality of course settings but does not directly modify integrity or availability of the application according to the published CVSS vector.

Root Cause

The root cause is the absence of object-level authorization on endpoints that handle course share and invite settings. The application trusts user-supplied identifiers without verifying that the authenticated session has rights to the referenced course. This permits cross-tenant access to data and configuration that should be restricted to course owners or instructors.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker sends crafted HTTP requests to the vulnerable course settings endpoints, replacing the course identifier with values belonging to other tenants. A public proof of concept is available at GitHub CVE-2025-65672 PoC, which demonstrates how identifier manipulation grants unauthorized access. Refer to the published proof of concept and the classroomio repository for endpoint and parameter details.

Detection Methods for CVE-2025-65672

Indicators of Compromise

  • Unexpected HTTP requests to course share or invite settings endpoints containing course identifiers that do not match the authenticated session's owned resources.
  • Sequential or enumerated identifier patterns in request URIs or bodies targeting course settings APIs.
  • Outbound invitation emails or share links generated for courses without corresponding owner activity in audit logs.

Detection Strategies

  • Inspect web server and application logs for requests to course share and invite endpoints originating from users not associated with the targeted course.
  • Correlate authentication session identifiers with the course IDs accessed to identify cross-account access patterns.
  • Deploy a Web Application Firewall (WAF) rule that flags identifier enumeration against course settings paths.

Monitoring Recommendations

  • Enable verbose access logging on classroomio course settings endpoints and forward logs to a centralized SIEM for analysis.
  • Alert on bursts of 4xx and 2xx responses on course settings paths from a single source within short time windows, which indicate enumeration attempts.
  • Track creation of share links and invitations and review anomalies against expected administrative activity.

How to Mitigate CVE-2025-65672

Immediate Actions Required

  • Restrict network access to classroomio 0.1.13 instances until a vendor-supplied patch is applied or backported authorization checks are deployed.
  • Audit existing share links and pending invitations to identify and revoke unauthorized entries.
  • Rotate course share tokens and invitation codes that may have been exposed through this vulnerability.

Patch Information

No vendor advisory or patched release has been published in the enriched CVE data at the time of writing. Monitor the classroomio GitHub repository for security updates and upgrade beyond version 0.1.13 once a fix is released.

Workarounds

  • Implement a reverse proxy or application-level filter that enforces ownership verification on course settings endpoints before proxying requests upstream.
  • Disable the course share and invite features in production deployments until a vendor patch is available.
  • Apply network segmentation so the classroomio instance is only reachable from authenticated internal users via VPN or zero-trust gateway.
bash
# Example reverse proxy rule to block unauthenticated access to settings endpoints
location ~ ^/api/courses/[^/]+/(share|invite) {
    if ($http_authorization = "") {
        return 401;
    }
    proxy_pass http://classroomio_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.