Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69634

CVE-2025-69634: Dolibarr ERP & CRM CSRF Vulnerability

CVE-2025-69634 is a Cross-Site Request Forgery flaw in Dolibarr ERP & CRM v.22.0.9 that enables privilege escalation via the notes field in perms.php. This article covers the technical details, impact, and mitigation.

Published:

CVE-2025-69634 Overview

A Cross Site Request Forgery (CSRF) vulnerability exists in Dolibarr ERP & CRM version 22.0.9. This vulnerability allows a remote attacker to escalate privileges by exploiting the notes field in the perms.php file. The flaw stems from improper access control (CWE-284), enabling attackers to trick authenticated users into performing unauthorized actions.

Critical Impact

This CSRF vulnerability enables privilege escalation in Dolibarr ERP & CRM, potentially allowing attackers to gain administrative access to business-critical enterprise resource planning and customer relationship management systems.

Affected Products

  • Dolibarr ERP & CRM v.22.0.9

Discovery Timeline

  • February 12, 2026 - CVE-2025-69634 published to NVD
  • February 12, 2026 - Last updated in NVD database

Technical Details for CVE-2025-69634

Vulnerability Analysis

This Cross Site Request Forgery vulnerability targets the permission management functionality within Dolibarr ERP & CRM. The vulnerable endpoint perms.php fails to properly validate the origin of requests when processing updates to the notes field. This allows an attacker to craft malicious requests that, when executed by an authenticated administrator, can modify user permissions and escalate privileges.

The attack succeeds because the application does not implement proper anti-CSRF tokens or origin validation for permission-modifying operations. When a victim with administrative privileges visits a malicious page or clicks a crafted link, their browser automatically sends authenticated requests to the Dolibarr application, executing the attacker's intended actions.

Root Cause

The root cause is improper access control (CWE-284) in the perms.php file. The application fails to verify that state-changing requests originate from legitimate user interactions within the application. The notes field in the permission management interface accepts and processes requests without validating CSRF tokens, allowing attackers to forge requests on behalf of authenticated users.

Attack Vector

The attack is executed over the network and requires user interaction. An attacker must convince an authenticated Dolibarr user (preferably with administrative privileges) to visit a malicious webpage or click a crafted link. The attack leverages the victim's active session to submit forged requests to the perms.php endpoint.

The attacker constructs a malicious HTML page containing a form or script that automatically submits a permission-modifying request to the vulnerable Dolibarr instance. When the victim loads this page while authenticated to Dolibarr, their browser sends the request with their session cookies, causing the server to process the privilege escalation as if it were a legitimate action by the victim.

Detection Methods for CVE-2025-69634

Indicators of Compromise

  • Unexpected permission changes in user accounts, particularly privilege escalations
  • Unusual requests to perms.php originating from external referrers
  • Administrative users reporting they did not authorize permission modifications
  • Log entries showing permission changes with external or suspicious referer headers

Detection Strategies

  • Monitor HTTP request logs for requests to perms.php with unusual or external referer headers
  • Implement alerting for privilege escalation events that lack corresponding administrative activity
  • Review web application firewall logs for patterns consistent with CSRF attacks
  • Audit user permission changes and correlate with legitimate administrative sessions

Monitoring Recommendations

  • Enable detailed logging for all permission modification operations in Dolibarr
  • Configure SIEM rules to detect permission changes without corresponding user session activity in the application
  • Monitor for unusual patterns of requests to administrative endpoints from authenticated sessions
  • Implement user behavior analytics to identify suspicious administrative actions

How to Mitigate CVE-2025-69634

Immediate Actions Required

  • Restrict access to the Dolibarr administrative interface to trusted networks only
  • Implement additional authentication requirements for permission-modifying operations
  • Educate administrators about CSRF risks and the importance of not clicking untrusted links while authenticated
  • Consider deploying a web application firewall with CSRF protection capabilities

Patch Information

No official vendor patch information is currently available in the NVD data. Monitor Dolibarr's official channels and security advisories for updates. Security researchers have documented this vulnerability in the GitHub PoC Repository and additional research is available at the CVE-2025-69634 Research Repository.

Workarounds

  • Implement a reverse proxy or web application firewall to enforce CSRF token validation
  • Restrict administrative sessions to specific IP addresses
  • Use browser isolation techniques when accessing the Dolibarr administrative interface
  • Consider implementing custom middleware to add CSRF protection to vulnerable endpoints
bash
# Example: Restrict access to perms.php via Apache configuration
<Location /perms.php>
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
    # Require valid session and referer header
    SetEnvIf Referer "^https://your-dolibarr-domain\.com" local_referer
    <RequireAll>
        Require env local_referer
    </RequireAll>
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.