CVE-2025-3640 is an authorization bypass vulnerability identified in Moodle versions 4.1.0 through 4.5.0. The root cause is insufficient capability checks within the platform's access control mechanisms, which allow users enrolled in a course to retrieve certain personal information of other users enrolled in the same course without having explicit permission. Specifically, the exposed data includes full names and profile image URLs, which are considered personally identifiable information (PII). The vulnerability does not permit modification of data or disruption of service but compromises user privacy by leaking information that should be restricted. The flaw requires the attacker to be authenticated and enrolled in the course, meaning it cannot be exploited by anonymous users or external attackers without credentials. No user interaction beyond normal course participation is required to exploit the vulnerability. The CVSS 3.1 base score is 4.3, indicating a medium severity primarily due to the confidentiality impact. There are no known exploits in the wild at the time of publication, and no patches were linked in the provided information, suggesting that remediation may be pending or in progress. The vulnerability was reserved and published in April 2025, and it has been enriched by CISA, indicating recognition by US cybersecurity authorities. This flaw highlights the importance of rigorous capability checks in multi-user educational platforms to prevent unauthorized data exposure.

The primary impact of CVE-2025-3640 is the unauthorized disclosure of personal information within Moodle courses. While the exposed data is limited to full names and profile image URLs, this can still lead to privacy violations, social engineering risks, and potential reputational damage for affected users and institutions. Educational institutions, corporations, and other organizations using Moodle for training or learning management may face compliance issues with data protection regulations such as GDPR or FERPA due to unauthorized data exposure. Although the vulnerability does not allow data modification or service disruption, the breach of confidentiality can undermine trust in the platform and may lead to increased scrutiny or legal consequences. Since exploitation requires authenticated access, the threat is limited to insiders or enrolled users, reducing the risk of widespread external attacks but increasing the risk of insider misuse or lateral movement within the platform. Organizations with large user bases or sensitive user populations are particularly at risk of privacy breaches.

To mitigate CVE-2025-3640, organizations should immediately verify whether their Moodle installations are running affected versions (4.1.0 through 4.5.0) and plan to apply vendor patches as soon as they become available. In the absence of patches, administrators should audit and tighten course enrollment policies to restrict access to trusted users only. Review and adjust capability and permission settings within Moodle to ensure that user profile information is only accessible to authorized roles. Consider implementing additional monitoring and logging of user access to sensitive data to detect potential abuse. Educate users about the importance of safeguarding their credentials to prevent unauthorized enrollment or account compromise. If possible, disable or limit the display of profile images and full names in course contexts until the vulnerability is remediated. Regularly update Moodle and related plugins to the latest secure versions and subscribe to Moodle security advisories for timely information. Finally, conduct privacy impact assessments and ensure compliance with relevant data protection regulations to minimize legal risks.