CVE-2025-65096
📋 TL;DR
This vulnerability in RomM (ROM Manager) allows authenticated users to access private game collections belonging to other users by directly querying collection IDs via API. The system fails to verify ownership or check collection privacy settings before returning data. All RomM instances running vulnerable versions are affected.
💻 Affected Systems
- RomM (ROM Manager)
📦 What is this software?
Romm by Romm.app
Romm by Romm.app
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically enumerate and exfiltrate all private collections, potentially exposing sensitive personal gaming data, collection metadata, and organizational structures.
Likely Case
Authenticated users accidentally or intentionally accessing other users' private collections, violating privacy expectations and potentially exposing personal gaming preferences.
If Mitigated
With proper access controls and API validation, users can only access their own collections or public collections as intended.
🎯 Exploit Status
Exploitation requires authenticated access but involves simple API calls to enumerate collection IDs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.1 or 4.4.1-beta.2
Vendor Advisory: https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c
Restart Required: Yes
Instructions:
1. Backup your RomM instance and database. 2. Update to version 4.4.1 or 4.4.1-beta.2 using your deployment method (Docker, manual, etc.). 3. Restart the RomM service. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Access Restriction
allImplement network-level restrictions to limit API access to trusted users only
Authentication Enhancement
allAdd additional authentication layers or rate limiting to collection API endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RomM from untrusted networks
- Add application-level authorization checks through reverse proxy or WAF rules
🔍 How to Verify
Check if Vulnerable:
Check RomM version via web interface or API. If version is below 4.4.1 (excluding 4.4.1-beta.2), the system is vulnerable.Check Version:
curl -s http://romm-instance/api/version | grep versionVerify Fix Applied:
After updating, attempt to access another user's private collection via API using a valid collection ID that doesn't belong to your account. Access should be denied.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts on collection endpoints
- Unusual pattern of collection ID enumeration in API logs
- Access to collection IDs outside normal user patterns
Network Indicators:
- High volume of GET requests to /api/collections/{id} endpoints
- Sequential enumeration of collection IDs in API calls
SIEM Query:
source="romm" AND (uri_path="/api/collections/*" AND response_status=200) | stats count by user_id, collection_id