CVE-2025-3635 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Moodle versions 4.1.0, 4.3.0, 4.4.0, and 4.5.0. The vulnerability arises from the absence of adequate CSRF protections on the functionality that allows duplication of existing tours within the Moodle platform. This security gap enables an attacker to craft malicious web requests that, when visited by a victim user, cause the duplication of tours without requiring the attacker to authenticate or the victim to perform any explicit action beyond visiting a malicious page. The vulnerability specifically affects the integrity of the Moodle system by allowing unauthorized modification of tour data, but it does not compromise confidentiality or availability. The CVSS 3.1 base score is 3.5, reflecting a low severity due to the limited impact scope and the requirement for user interaction. No known exploits have been reported in the wild, and no official patches or mitigation links have been published as of the vulnerability disclosure date. The vulnerability was reserved and published in April 2025, with enrichment from CISA indicating recognition by US cybersecurity authorities. The lack of CSRF tokens or similar anti-CSRF mechanisms in the affected Moodle versions is the root cause, and this is a common web application security issue that can be mitigated by implementing standard CSRF defenses.

The primary impact of CVE-2025-3635 is on the integrity of Moodle's tour duplication feature. Attackers can cause unauthorized duplication of tours, potentially leading to confusion, data clutter, or manipulation of user experience within the learning platform. Although this does not expose sensitive data or disrupt service availability, it undermines trust in the platform's data integrity. For educational institutions and organizations relying on Moodle for e-learning, this could result in administrative overhead to clean up duplicated content and potential disruption to course delivery. Since exploitation requires user interaction but no authentication, phishing or social engineering campaigns could be used to trigger the vulnerability. The absence of known exploits limits immediate risk, but the widespread use of Moodle globally means that many organizations could be affected if attackers develop exploit techniques. The low CVSS score reflects the limited scope and impact, but the vulnerability still represents a vector for unauthorized actions within Moodle environments.

To mitigate CVE-2025-3635, organizations should first verify if they are running affected Moodle versions (4.1.0, 4.3.0, 4.4.0, 4.5.0) and prioritize upgrading to patched versions once available. In the absence of official patches, administrators should implement or enforce CSRF protections on the tour duplication functionality, such as adding anti-CSRF tokens to forms and validating them server-side. Additionally, configuring Content Security Policy (CSP) headers to restrict the origins that can execute requests may reduce risk. Monitoring web server logs for unusual POST requests related to tour duplication endpoints can help detect exploitation attempts. User education to avoid clicking on suspicious links and employing web application firewalls (WAFs) with rules to detect CSRF patterns can provide additional layers of defense. Regular security assessments and penetration testing focused on CSRF vulnerabilities in Moodle deployments are recommended to identify and remediate similar issues proactively.