CVE-2025-65672 Overview
CVE-2025-65672 is an Insecure Direct Object Reference (IDOR) vulnerability in classroomio version 0.1.13, an open-source learning management platform. The flaw allows unauthorized users to access course settings related to sharing and invitations. Attackers can manipulate object identifiers in requests to reach resources they should not be authorized to view or modify. The vulnerability is tracked under CWE-639: Authorization Bypass Through User-Controlled Key and is exploitable over the network without authentication or user interaction.
Critical Impact
Unauthorized attackers can access and manipulate course share and invite settings in classroomio 0.1.13, exposing confidential course data and enabling unsanctioned enrollment.
Affected Products
- classroomio 0.1.13
- Open-source classroomio learning management platform deployments
- Self-hosted instances of classroomio with default configuration
Discovery Timeline
- 2025-11-26 - CVE-2025-65672 published to the National Vulnerability Database
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-65672
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference (IDOR) affecting the course settings functionality of classroomio 0.1.13. The application exposes object identifiers referencing course share and invite resources without enforcing authorization checks on the requesting user. An attacker can substitute the identifier of another course in requests and gain access to settings they do not own. This represents a broken access control pattern classified under CWE-639. The flaw affects the confidentiality of course settings but does not directly modify integrity or availability of the application according to the published CVSS vector.
Root Cause
The root cause is the absence of object-level authorization on endpoints that handle course share and invite settings. The application trusts user-supplied identifiers without verifying that the authenticated session has rights to the referenced course. This permits cross-tenant access to data and configuration that should be restricted to course owners or instructors.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends crafted HTTP requests to the vulnerable course settings endpoints, replacing the course identifier with values belonging to other tenants. A public proof of concept is available at GitHub CVE-2025-65672 PoC, which demonstrates how identifier manipulation grants unauthorized access. Refer to the published proof of concept and the classroomio repository for endpoint and parameter details.
Detection Methods for CVE-2025-65672
Indicators of Compromise
- Unexpected HTTP requests to course share or invite settings endpoints containing course identifiers that do not match the authenticated session's owned resources.
- Sequential or enumerated identifier patterns in request URIs or bodies targeting course settings APIs.
- Outbound invitation emails or share links generated for courses without corresponding owner activity in audit logs.
Detection Strategies
- Inspect web server and application logs for requests to course share and invite endpoints originating from users not associated with the targeted course.
- Correlate authentication session identifiers with the course IDs accessed to identify cross-account access patterns.
- Deploy a Web Application Firewall (WAF) rule that flags identifier enumeration against course settings paths.
Monitoring Recommendations
- Enable verbose access logging on classroomio course settings endpoints and forward logs to a centralized SIEM for analysis.
- Alert on bursts of 4xx and 2xx responses on course settings paths from a single source within short time windows, which indicate enumeration attempts.
- Track creation of share links and invitations and review anomalies against expected administrative activity.
How to Mitigate CVE-2025-65672
Immediate Actions Required
- Restrict network access to classroomio 0.1.13 instances until a vendor-supplied patch is applied or backported authorization checks are deployed.
- Audit existing share links and pending invitations to identify and revoke unauthorized entries.
- Rotate course share tokens and invitation codes that may have been exposed through this vulnerability.
Patch Information
No vendor advisory or patched release has been published in the enriched CVE data at the time of writing. Monitor the classroomio GitHub repository for security updates and upgrade beyond version 0.1.13 once a fix is released.
Workarounds
- Implement a reverse proxy or application-level filter that enforces ownership verification on course settings endpoints before proxying requests upstream.
- Disable the course share and invite features in production deployments until a vendor patch is available.
- Apply network segmentation so the classroomio instance is only reachable from authenticated internal users via VPN or zero-trust gateway.
# Example reverse proxy rule to block unauthenticated access to settings endpoints
location ~ ^/api/courses/[^/]+/(share|invite) {
if ($http_authorization = "") {
return 401;
}
proxy_pass http://classroomio_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

