CVE-2025-66290
📋 TL;DR
This vulnerability allows any authenticated user in OrangeHRM to download candidate attachments (CVs, documents) without proper authorization checks. Users with only ESS-level access who shouldn't have recruitment permissions can access sensitive applicant data. This affects OrangeHRM versions 5.0 through 5.7.
💻 Affected Systems
- OrangeHRM
📦 What is this software?
Orangehrm by Orangehrm
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of all candidate personal data including resumes, identification documents, and sensitive information by any authenticated user.
Likely Case
Unauthorized access to candidate files by employees who shouldn't have recruitment access, leading to privacy violations and potential data misuse.
If Mitigated
Limited exposure if strong access controls and monitoring are in place to detect unusual download patterns.
🎯 Exploit Status
Exploitation requires authenticated access but is simple - just accessing attachment URLs directly. No special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8
Vendor Advisory: https://github.com/orangehrm/orangehrm/security/advisories/GHSA-qf8r-c54j-jw88
Restart Required: Yes
Instructions:
1. Backup your OrangeHRM installation and database. 2. Download OrangeHRM version 5.8 from official sources. 3. Follow the upgrade instructions in the OrangeHRM documentation. 4. Restart the web server/service. 5. Verify the fix by testing attachment access with ESS-level users.
🔧 Temporary Workarounds
Access Control Enhancement
allImplement additional authorization checks at the web server or application firewall level to restrict access to recruitment attachment endpoints.
Network Segmentation
allRestrict access to OrangeHRM to only authorized users and implement network segmentation to limit exposure.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for recruitment attachment endpoints
- Disable recruitment module if not essential for business operations
🔍 How to Verify
Check if Vulnerable:
1. Log in as ESS-level user (no recruitment permissions). 2. Attempt to access candidate attachment URLs directly. 3. If successful, system is vulnerable.Check Version:
Check OrangeHRM version in admin panel or look for version information in application files.Verify Fix Applied:
1. Upgrade to version 5.8. 2. Log in as ESS-level user. 3. Attempt to access candidate attachment URLs. 4. Verify access is denied with proper authorization error.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to recruitment attachment endpoints from non-recruitment users
- Multiple failed authorization attempts followed by successful file downloads
Network Indicators:
- HTTP requests to /recruitmentAttachment endpoints from unauthorized user accounts
- Unusual download volumes from recruitment endpoints
SIEM Query:
source="orangehrm" AND (uri="/recruitmentAttachment" OR uri CONTAINS "recruitment") AND user_role!="recruitment" AND response_code=200