CVE-2025-66423 Overview
CVE-2025-66423 is a broken access control vulnerability [CWE-863] in Tryton trytond, the server component of the Tryton business application framework. The flaw exists because trytond does not enforce access rights for the route exposing the HTML editor. Authenticated users with low privileges can reach the editor route and access data they are not authorized to view or modify. The issue affects trytond 6.0 before 7.6.11 and is addressed in versions 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Critical Impact
Authenticated low-privilege users can bypass authorization checks on the HTML editor route, exposing confidential business data and enabling limited integrity impact across Tryton deployments.
Affected Products
- Tryton trytond 6.0.x before 6.0.70
- Tryton trytond 7.0.x before 7.0.40, 7.4.x before 7.4.21
- Tryton trytond 7.6.x before 7.6.11
Discovery Timeline
- 2025-11-30 - CVE-2025-66423 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66423
Vulnerability Analysis
Tryton is a three-tier high-level general-purpose application platform written in Python, with trytond providing the server-side business logic, ORM, and HTTP routing layer. The vulnerability resides in the route that serves the HTML editor functionality. Routes in trytond are expected to validate the authenticated user's access rights against the requested model and records before returning content.
The HTML editor route omits these enforcement checks. An authenticated session can invoke the route directly and receive editor-backed data without the standard model and record-level access validation. The attack requires network access to the trytond HTTP endpoint and valid low-privilege credentials, with no user interaction needed.
Root Cause
The root cause is missing authorization enforcement on a server-side route, classified under [CWE-863] Incorrect Authorization. The HTML editor endpoint was registered without invoking the access-rights checks that other trytond routes apply through the model access layer. As a result, the route trusts the session's authentication state but never confirms whether that session has the rights required for the targeted resource.
Attack Vector
An attacker with valid credentials on a Tryton instance sends crafted HTTP requests to the HTML editor route, referencing records or fields outside their authorization scope. Because the route skips access-rights validation, trytond returns content the user should not be able to read and accepts edits the user should not be able to perform. The confidentiality impact is high, while integrity impact is limited to what the HTML editor route can modify. No verified public proof-of-concept exploit is available. Refer to the Tryton Security Release Discussion and the Heptapod Issue Tracker Entry for technical details from the maintainers.
Detection Methods for CVE-2025-66423
Indicators of Compromise
- HTTP requests to the trytond HTML editor route originating from user sessions that lack model-level permissions for the referenced records.
- Unusual volumes of editor route requests from a single authenticated session targeting multiple models or record IDs.
- Authenticated user activity that reads or modifies records inconsistent with the user's assigned Tryton groups and access rights.
Detection Strategies
- Enable verbose request logging on the trytond WSGI layer and correlate user IDs with the models referenced by HTML editor requests.
- Compare per-user route access patterns against the Tryton access-rights configuration to identify mismatches.
- Alert on authenticated sessions that suddenly access the HTML editor route with parameters spanning unrelated models or business domains.
Monitoring Recommendations
- Forward trytond application logs and reverse-proxy access logs to a centralized log platform for retention and query.
- Track baseline editor route usage per role and flag deviations, especially from accounts with limited business permissions.
- Monitor for trytond version banners and confirm that all instances report a patched release.
How to Mitigate CVE-2025-66423
Immediate Actions Required
- Upgrade trytond to 7.6.11, 7.4.21, 7.0.40, or 6.0.70 depending on the deployed branch.
- Inventory all Tryton servers, including development and staging instances, and confirm patched versions are in use.
- Review audit logs for prior access to the HTML editor route by accounts that should not have authorization for the referenced records.
Patch Information
The Tryton maintainers fixed the missing access-rights enforcement in trytond 7.6.11, 7.4.21, 7.0.40, and 6.0.70. Patch details are available in the Heptapod Issue Tracker Entry and the Tryton Security Release Discussion. Operators running supported long-term branches should apply the corresponding patched release for their branch.
Workarounds
- Restrict network access to the trytond HTTP endpoint to trusted users while upgrades are scheduled.
- Disable or block the HTML editor route at the reverse proxy until the patched version is deployed.
- Rotate credentials for low-privilege accounts if log review indicates the route was accessed without authorization.
# Example: block the HTML editor route at an Nginx reverse proxy until patched
location ~* ^/.*/html_editor {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

