CVE-2025-25777 describes an Insecure Direct Object Reference (IDOR) vulnerability present in the Codeastro Bus Ticket Booking System version 1.0. This vulnerability arises due to insufficient authorization checks when accessing user profile data. Specifically, the application allows an attacker to manipulate the user ID parameter in the URL to gain unauthorized access to other users' profiles. Because the system does not properly verify whether the requesting user is authorized to view the requested profile, attackers can bypass authentication and authorization controls. The vulnerability is classified under CWE-639, which pertains to authorization errors leading to improper access control. According to the CVSS 3.1 vector, the attack requires local access (AV:L), has low attack complexity (AC:L), does not require privileges (PR:N), nor user interaction (UI:N). The impact on confidentiality and integrity is high, as attackers can view and potentially modify sensitive user profile information, while availability impact is low. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a significant risk if exploited. The lack of vendor or product details limits the ability to identify affected deployments precisely, but the vulnerability is tied to a bus ticket booking system, which likely handles personal and travel-related data. The vulnerability was published on April 24, 2025, with a high severity rating and a CVSS score of 8.0, indicating a serious security flaw that demands prompt remediation.

For European organizations, especially those operating or integrating with the Codeastro Bus Ticket Booking System or similar transportation booking platforms, this vulnerability poses a substantial risk to user privacy and data integrity. Unauthorized access to user profiles can lead to exposure of personally identifiable information (PII), travel itineraries, payment details, and other sensitive data. This can result in privacy violations under GDPR regulations, leading to legal and financial penalties. Furthermore, attackers could manipulate user profiles, potentially causing fraudulent bookings or disrupting service operations. The breach of trust may damage the reputation of transportation providers and associated businesses. Given the critical role of public transportation in many European countries, exploitation could also have cascading effects on customer confidence and operational continuity. Although the attack vector requires local access, in many cases, local access could be achieved via compromised user accounts or insider threats, increasing the attack surface. The lack of authentication requirements for the exploit further exacerbates the risk. Organizations relying on this system must consider the potential for data breaches, regulatory non-compliance, and operational disruptions.

To mitigate this vulnerability, organizations should implement strict authorization checks on all endpoints that access user-specific data. Specifically, the application must validate that the authenticated user is authorized to access the requested profile before returning any data. Employing role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms can enforce fine-grained permissions. Input validation should be enhanced to prevent manipulation of user ID parameters. Additionally, implementing session management best practices, such as token-based authentication with embedded user identity claims, can reduce the risk of IDOR. Regular code audits and penetration testing focused on access control flaws should be conducted. If possible, organizations should apply patches or updates from the vendor once available. In the interim, monitoring access logs for unusual patterns, such as repeated access to multiple user profiles from a single account or IP address, can help detect exploitation attempts. Educating users about the risks of sharing credentials and enforcing multi-factor authentication (MFA) can reduce the likelihood of local access by unauthorized parties. Finally, data minimization principles should be applied to limit the exposure of sensitive information in user profiles.