CVE-2025-64012
📋 TL;DR
InvoicePlane versions before commit debb446c are vulnerable to an authorization bypass that allows users to view invoices belonging to other accounts. This affects all InvoicePlane installations that haven't applied the fix, potentially exposing sensitive financial data to unauthorized users.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
An authenticated user could access all invoices in the system, exposing confidential financial information, client details, and payment records across all accounts.
Likely Case
Users with legitimate access to some invoices could view invoices belonging to other clients or accounts they shouldn't have access to, violating data privacy and confidentiality.
If Mitigated
With proper access controls implemented, users can only view invoices they own or are authorized to access, maintaining proper data segregation.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The GitHub gist demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit debb446ceaa84efc136987fc1e21b268f34e47b0 or later
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/commit/debb446ceaa84efc136987fc1e21b268f34e47b0
Restart Required: No
Instructions:
1. Update to the latest InvoicePlane version. 2. Apply commit debb446c manually if using self-hosted version. 3. Verify the invoices/view handler now checks ownership before returning data.
🔧 Temporary Workarounds
Manual Access Control Implementation
allAdd ownership verification to the invoices/view handler before returning invoice data
Apply the changes from commit debb446c manually to your installation
🧯 If You Can't Patch
- Implement network segmentation to restrict access to InvoicePlane only to authorized users
- Enable detailed audit logging for all invoice access attempts and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can access invoices belonging to other accounts by modifying invoice IDs in view requestsCheck Version:
Check InvoicePlane version or git commit hash against vulnerable commit rangeVerify Fix Applied:
Verify that attempting to access another user's invoice returns an authorization error or redirects to proper access denied page📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for invoice access
- User accessing invoice IDs outside their normal range
- Rapid sequential access to different invoice IDs
Network Indicators:
- Unusual patterns of GET requests to /invoices/view with varying ID parameters
SIEM Query:
source="invoiceplane" AND (uri_path="/invoices/view" AND user_id!=invoice_owner_id)