CVE-2025-65670: An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/...
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.
Security readout for executives and security teams
Plain-English summary
A logged-in student may briefly see sensitive classroomio admin, teacher, course, or student information by changing course identifiers in URLs. The interface reportedly returns to a restricted state, but sensitive data may already have reached the browser.
Executive priority
Treat this as a moderate confidentiality issue. Prioritize remediation where classroomio is internet-facing or contains regulated student data, but evidence provided does not support emergency handling for active exploitation.
Technical view
CVE-2025-65670 is a CWE-639 IDOR in classroomio 0.1.13. With low-privileged access, a student can manipulate course IDs to reach admin or teacher endpoints and cause unauthorized disclosure. CVSS 3.1 is 4.3: network reachable, low complexity, low confidentiality impact, no integrity or availability impact.
Likely exposure
Most relevant to organizations running classroomio 0.1.13, especially education portals with student accounts. The CVE metadata lists affected vendor and product as n/a, so exposure should be confirmed through local inventory and upstream project information.
Exploitation context
The source bundle does not show CISA KEV listing or cited active exploitation. Exploitation requires an authenticated student-level user and reachable classroomio endpoints. A public researcher reference exists, but this analysis does not rely on or provide exploit steps.
Researcher notes
The key issue is object-level authorization, not UI state. The reported momentary leak matters if restricted data is sent to the client. Source evidence is limited on patch status, affected packaging, and deployment scope.
Mitigation direction
Check classroomio upstream guidance for patched versions or official mitigation.
Enforce server-side authorization on every admin, teacher, course, and student data request.
Ensure course IDs cannot grant access without ownership or role checks.
Reduce sensitive fields returned to student-facing routes.
Review logs for unusual cross-course or admin endpoint access by student accounts.
Validation and detection
Inventory classroomio deployments and confirm whether version 0.1.13 is present.
Review route handlers for object-level authorization before returning sensitive data.
Test in authorized staging that student accounts cannot access unrelated course data.
Verify browser responses do not contain restricted data, even transiently.
Add regression tests covering student, teacher, and admin role boundaries.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-639: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-639 · source CWE mapping
Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.