CVE-2025-69634 Overview
A Cross Site Request Forgery (CSRF) vulnerability exists in Dolibarr ERP & CRM version 22.0.9. This vulnerability allows a remote attacker to escalate privileges by exploiting the notes field in the perms.php file. The flaw stems from improper access control (CWE-284), enabling attackers to trick authenticated users into performing unauthorized actions.
Critical Impact
This CSRF vulnerability enables privilege escalation in Dolibarr ERP & CRM, potentially allowing attackers to gain administrative access to business-critical enterprise resource planning and customer relationship management systems.
Affected Products
- Dolibarr ERP & CRM v.22.0.9
Discovery Timeline
- February 12, 2026 - CVE-2025-69634 published to NVD
- February 12, 2026 - Last updated in NVD database
Technical Details for CVE-2025-69634
Vulnerability Analysis
This Cross Site Request Forgery vulnerability targets the permission management functionality within Dolibarr ERP & CRM. The vulnerable endpoint perms.php fails to properly validate the origin of requests when processing updates to the notes field. This allows an attacker to craft malicious requests that, when executed by an authenticated administrator, can modify user permissions and escalate privileges.
The attack succeeds because the application does not implement proper anti-CSRF tokens or origin validation for permission-modifying operations. When a victim with administrative privileges visits a malicious page or clicks a crafted link, their browser automatically sends authenticated requests to the Dolibarr application, executing the attacker's intended actions.
Root Cause
The root cause is improper access control (CWE-284) in the perms.php file. The application fails to verify that state-changing requests originate from legitimate user interactions within the application. The notes field in the permission management interface accepts and processes requests without validating CSRF tokens, allowing attackers to forge requests on behalf of authenticated users.
Attack Vector
The attack is executed over the network and requires user interaction. An attacker must convince an authenticated Dolibarr user (preferably with administrative privileges) to visit a malicious webpage or click a crafted link. The attack leverages the victim's active session to submit forged requests to the perms.php endpoint.
The attacker constructs a malicious HTML page containing a form or script that automatically submits a permission-modifying request to the vulnerable Dolibarr instance. When the victim loads this page while authenticated to Dolibarr, their browser sends the request with their session cookies, causing the server to process the privilege escalation as if it were a legitimate action by the victim.
Detection Methods for CVE-2025-69634
Indicators of Compromise
- Unexpected permission changes in user accounts, particularly privilege escalations
- Unusual requests to perms.php originating from external referrers
- Administrative users reporting they did not authorize permission modifications
- Log entries showing permission changes with external or suspicious referer headers
Detection Strategies
- Monitor HTTP request logs for requests to perms.php with unusual or external referer headers
- Implement alerting for privilege escalation events that lack corresponding administrative activity
- Review web application firewall logs for patterns consistent with CSRF attacks
- Audit user permission changes and correlate with legitimate administrative sessions
Monitoring Recommendations
- Enable detailed logging for all permission modification operations in Dolibarr
- Configure SIEM rules to detect permission changes without corresponding user session activity in the application
- Monitor for unusual patterns of requests to administrative endpoints from authenticated sessions
- Implement user behavior analytics to identify suspicious administrative actions
How to Mitigate CVE-2025-69634
Immediate Actions Required
- Restrict access to the Dolibarr administrative interface to trusted networks only
- Implement additional authentication requirements for permission-modifying operations
- Educate administrators about CSRF risks and the importance of not clicking untrusted links while authenticated
- Consider deploying a web application firewall with CSRF protection capabilities
Patch Information
No official vendor patch information is currently available in the NVD data. Monitor Dolibarr's official channels and security advisories for updates. Security researchers have documented this vulnerability in the GitHub PoC Repository and additional research is available at the CVE-2025-69634 Research Repository.
Workarounds
- Implement a reverse proxy or web application firewall to enforce CSRF token validation
- Restrict administrative sessions to specific IP addresses
- Use browser isolation techniques when accessing the Dolibarr administrative interface
- Consider implementing custom middleware to add CSRF protection to vulnerable endpoints
# Example: Restrict access to perms.php via Apache configuration
<Location /perms.php>
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Require valid session and referer header
SetEnvIf Referer "^https://your-dolibarr-domain\.com" local_referer
<RequireAll>
Require env local_referer
</RequireAll>
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
