CVE-2025-62396 – An error-handling vulnerability in Moodle's rou... (How to Fix)

Q: What is the severity of CVE-2025-62396?

CVE-2025-62396 has a CVSS score of 5.3 (MEDIUM). An error-handling vulnerability in Moodle's router component (r.php) can expose internal directory listings when specific HTTP headers are misconfigured. This information disclosure affects Moodle installations with improper header configurations, potentially revealing sensitive file structures to attackers.

📋 TL;DR

An error-handling vulnerability in Moodle's router component (r.php) can expose internal directory listings when specific HTTP headers are misconfigured. This information disclosure affects Moodle installations with improper header configurations, potentially revealing sensitive file structures to attackers.

💻 Affected Systems

Products:

Moodle

Versions: Specific affected versions not specified in CVE details, but appears to be recent Moodle versions

Operating Systems: All platforms running Moodle

Default Config Vulnerable: ✅ No

Notes: Requires specific HTTP header misconfiguration to be exploitable

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal directory structures, discover sensitive configuration files, backup files, or source code, leading to further exploitation.

🟠

Likely Case

Information disclosure revealing directory structure and potentially sensitive file names, but not file contents.

🟢

If Mitigated

Minimal impact with proper HTTP header configurations and directory listing disabled.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific HTTP header manipulation and misconfiguration

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security advisories for specific patched version

Vendor Advisory: https://moodle.org/security/

Restart Required: No

Instructions:

1. Update Moodle to the latest patched version. 2. Apply security patches from Moodle security advisories. 3. Verify HTTP headers are properly configured.

🔧 Temporary Workarounds

Configure Proper HTTP Headers

all

Ensure proper HTTP header configuration to prevent directory listing exposure

Configure web server (Apache/Nginx) to send appropriate headers
Set proper Content-Type and other security headers

Disable Directory Listing

all

Configure web server to disable directory listings

Apache: Options -Indexes in .htaccess or httpd.conf
Nginx: autoindex off; in server configuration

🧯 If You Can't Patch

Implement strict HTTP header configurations
Disable directory listings at web server level
Implement WAF rules to detect directory traversal attempts

🔍 How to Verify

Check if Vulnerable:

Test by accessing r.php with manipulated headers and checking for directory listings

Check Version:

Check Moodle version in Site administration > Notifications or via moodle_version table

Verify Fix Applied:

Verify Moodle version is updated and test that directory listings are no longer exposed

📡 Detection & Monitoring

Log Indicators:

Multiple requests to r.php with unusual headers
HTTP 200 responses to directory listing attempts

Network Indicators:

Unusual HTTP header patterns in requests to r.php

SIEM Query:

web.url:*r.php AND (http.headers:* OR http.status:200 AND response_size:>threshold)

📊 Metadata

CVE ID: CVE-2025-62396

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-548

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: October 23, 2025

Last Updated: November 14, 2025

🔗 References

https://access.redhat.com/security/cve/CVE-2025-62396 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2404429 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62396, you might also want to check these: