CVE-2025-66291
📋 TL;DR
OrangeHRM versions 5.0 to 5.7 have an authorization bypass vulnerability in the Recruitment module's interview attachment endpoint. Authenticated ESS-level users without recruitment permissions can access confidential interview documents like candidate CVs and evaluations by guessing predictable file identifiers. This affects all OrangeHRM deployments using vulnerable versions.
💻 Affected Systems
- OrangeHRM
📦 What is this software?
Orangehrm by Orangehrm
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of all interview documents containing sensitive candidate information, potentially violating data protection regulations and exposing confidential HR processes.
Likely Case
Unauthorized access to specific interview documents by curious or malicious employees, compromising candidate privacy and internal recruitment confidentiality.
If Mitigated
Limited exposure if strong access controls and monitoring are in place, but still represents a data protection compliance risk.
🎯 Exploit Status
Exploitation requires authenticated session but is trivial once authenticated. Attackers need to guess or enumerate predictable file identifiers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8
Vendor Advisory: https://github.com/orangehrm/orangehrm/security/advisories/GHSA-v32g-r8xx-4g6g
Restart Required: Yes
Instructions:
1. Backup your OrangeHRM installation and database. 2. Download OrangeHRM version 5.8 from the official repository. 3. Follow the upgrade instructions in the OrangeHRM documentation. 4. Restart the web server service. 5. Verify the fix by testing interview attachment access with ESS users.
🔧 Temporary Workarounds
Disable Recruitment Module
allTemporarily disable the Recruitment module to prevent exploitation while planning upgrade.
Restrict Attachment Directory Access
linuxConfigure web server to deny direct access to interview attachment directories.
# Apache: Add Deny from all to interview attachment directory
# Nginx: location ~ /interview_attachments { deny all; }
🧯 If You Can't Patch
- Implement strict access controls and monitoring for interview attachment endpoints
- Regularly audit access logs for unauthorized attempts to access interview documents
🔍 How to Verify
Check if Vulnerable:
1. Log in as ESS user without recruitment permissions. 2. Attempt to access interview attachment URLs with predictable IDs. 3. If files are accessible, system is vulnerable.Check Version:
Check OrangeHRM version in admin panel or examine source code files for version markers.Verify Fix Applied:
1. Upgrade to version 5.8. 2. Repeat the vulnerable test with ESS user. 3. Verify access is properly denied with authorization error.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for interview attachments
- ESS users accessing interview attachment endpoints
- Unusual pattern of file downloads from recruitment directories
Network Indicators:
- HTTP requests to interview attachment endpoints from non-recruitment users
- Burst of GET requests with sequential file IDs
SIEM Query:
source="orangehrm" AND (url="*interview*attachment*" OR url="*recruitment*file*") AND user_role="ESS" AND response_code=200