CVE-2025-34031 – A path traversal vulnerability in Moodle LMS Jm... (How to Fix)

Q: What is the severity of CVE-2025-34031?

CVE-2025-34031 has a CVSS score of 7.5 (HIGH). A path traversal vulnerability in Moodle LMS Jmol plugin versions 6.1 and earlier allows unauthenticated attackers to read arbitrary files from the server filesystem by manipulating the query parameter in jsmol.php. This exposes sensitive configuration data including database credentials. All Moodle installations using the vulnerable Jmol plugin are affected.

📋 TL;DR

A path traversal vulnerability in Moodle LMS Jmol plugin versions 6.1 and earlier allows unauthenticated attackers to read arbitrary files from the server filesystem by manipulating the query parameter in jsmol.php. This exposes sensitive configuration data including database credentials. All Moodle installations using the vulnerable Jmol plugin are affected.

💻 Affected Systems

Products:

Moodle LMS Jmol plugin

Versions: 6.1 and prior

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Moodle installation with the Jmol plugin enabled. The vulnerability is in the plugin, not core Moodle.

📦 What is this software?

Jmol by Geoffrowland

View all CVEs affecting Jmol →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via database credential theft leading to data exfiltration, privilege escalation, or ransomware deployment.

🟠

Likely Case

Sensitive configuration file exposure including database credentials, potentially enabling further attacks.

🟢

If Mitigated

Limited to reading non-sensitive files if proper file permissions and web server configurations are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation evidence observed by Shadowserver Foundation on 2025-02-02. Exploit code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2 or later

Vendor Advisory: https://vulncheck.com/advisories/moodle-lms-jmol-plugin-path-traversal

Restart Required: No

Instructions:

1. Update the Jmol plugin to version 6.2 or later via Moodle plugin management. 2. Verify the update by checking plugin version in Moodle admin panel. 3. No server restart required.

🔧 Temporary Workarounds

Disable Jmol plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to Moodle admin panel > Plugins > Manage plugins > Disable Jmol plugin

Web server file restriction

linux

Configure web server to block access to jsmol.php or restrict query parameter

For Apache: Add 'RewriteRule ^jsmol\.php$ - [F]' to .htaccess
For Nginx: Add 'location ~ ^/jsmol\.php$ { return 403; }' to nginx.conf

🧯 If You Can't Patch

Implement strict web application firewall rules to block path traversal patterns in query parameters
Restrict network access to Moodle instance to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if Jmol plugin version is 6.1 or earlier in Moodle admin panel under Plugins > Manage plugins

Check Version:

Check Moodle admin panel or examine plugin directory for version file

Verify Fix Applied:

Verify Jmol plugin version is 6.2 or later in Moodle admin panel and test that jsmol.php no longer accepts malicious query parameters

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs for jsmol.php
Multiple requests to jsmol.php with ../ patterns in query parameters
Access to sensitive files like config.php, .env, or /etc/passwd

Network Indicators:

HTTP requests to jsmol.php containing path traversal sequences (../, ..\) in query parameters
Unusual outbound traffic from Moodle server following exploitation

SIEM Query:

web.url:*/jsmol.php AND (web.query:*../* OR web.query:*..\*)

📊 Metadata

CVE ID: CVE-2025-34031

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 14.52% exploit probability (94.3th percentile)

Published: June 24, 2025

Last Updated: November 20, 2025

🔗 References

https://vulncheck.com/advisories/moodle-lms-jmol-plugin-path-traversal Third Party Advisory
https://www.dionach.com/moodle-jmol-plugin-multiple-vulnerabilities/ Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/46881 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/46881 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34031, you might also want to check these: