CVE-2025-66911
📋 TL;DR
This vulnerability in Turms IM Server allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks. It affects all users of Turms IM Server v0.10.0-SNAPSHOT and earlier versions, potentially exposing sensitive user data.
💻 Affected Systems
- Turms IM Server
📦 What is this software?
Turms by Turms Im
⚠️ Risk & Real-World Impact
Worst Case
An attacker could enumerate all user accounts, track real-time online presence, and gather device details, leading to privacy violations, targeted attacks, or social engineering campaigns.
Likely Case
Unauthorized users within the system access other users' online status and login information, compromising user privacy and potentially enabling harassment or reconnaissance.
If Mitigated
With proper authorization controls, only authorized users can query specific user statuses, limiting data exposure to intended use cases.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via API calls to the vulnerable endpoint; no public proof-of-concept is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/turms-im/turms
Restart Required: Yes
Instructions:
1. Monitor the Turms GitHub repository for updates. 2. Apply the official patch once released. 3. Restart the Turms IM Server to implement the fix.
🔧 Temporary Workarounds
Implement custom authorization middleware
allAdd server-side checks to restrict user online status queries to authorized users only, such as admins or specific roles.
Modify UserServiceController.java to include authorization logic before processing queries.
🧯 If You Can't Patch
- Restrict network access to the Turms IM Server to trusted users only, using firewalls or VPNs.
- Monitor and audit logs for unusual query patterns to the user online status endpoint.
🔍 How to Verify
Check if Vulnerable:
Review the UserServiceController.java file at line 239 for missing authorization checks in handleQueryUserOnlineStatusesRequest().Check Version:
Check the server version via configuration files or build metadata; for Turms, inspect the project version in pom.xml or similar.Verify Fix Applied:
After applying a fix, test that authenticated users can only query authorized user statuses; unauthorized queries should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual frequency of user online status queries from single accounts
- Queries for user IDs not associated with the requester
Network Indicators:
- API calls to /user/online-status endpoint with varied user IDs
- Increased traffic to user query functions
SIEM Query:
source="turms-server" AND endpoint="/user/online-status" AND user_id != requester_id🔗 References
- https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md
- https://github.com/turms-im/turms
- https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239
- https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md
