CVE-2025-65672
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in classroomio version 0.1.13 that allows unauthorized users to access and modify course settings through share and invite functionality. Attackers can exploit this to view or alter course configurations without proper authorization. All users running classroomio 0.1.13 are affected.
💻 Affected Systems
- classroomio
📦 What is this software?
Classroomio by Classroomio
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative control over courses, modify settings, access sensitive student data, or disrupt educational activities.
Likely Case
Unauthorized users access course settings they shouldn't see, potentially modifying configurations or viewing private information.
If Mitigated
Proper access controls prevent unauthorized access, limiting impact to minor information disclosure if other controls fail.
🎯 Exploit Status
Exploitation requires some user access but minimal technical skill; public GitHub repository contains proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: unknown
Vendor Advisory: https://github.com/classroomio/classroomio
Restart Required: No
Instructions:
1. Check classroomio GitHub repository for security updates
2. Monitor for patched version release
3. Upgrade to fixed version when available
🔧 Temporary Workarounds
Disable share/invite functionality
allTemporarily disable the vulnerable share and invite features to prevent exploitation
Modify classroomio configuration to disable share/invite endpoints
Implement additional access controls
allAdd server-side authorization checks for all course setting endpoints
Implement proper session validation and role-based access control
🧯 If You Can't Patch
- Isolate classroomio instance behind strict network controls
- Implement web application firewall rules to block suspicious share/invite requests
🔍 How to Verify
Check if Vulnerable:
Check if running classroomio version 0.1.13 and test share/invite endpoints for authorization bypassCheck Version:
Check classroomio package version or application metadataVerify Fix Applied:
Test that unauthorized users cannot access course settings through share/invite functionality📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to course settings endpoints
- Unusual share/invite activity from non-admin users
Network Indicators:
- HTTP requests to share/invite endpoints with unauthorized parameters
SIEM Query:
source="classroomio" AND (uri_path="/share" OR uri_path="/invite") AND user_role!="admin"