CVE-2025-48375 is a medium-severity vulnerability affecting versions of the open-source school management system software Schule prior to 1.0.1. The vulnerability is classified under CWE-770, which pertains to the allocation of resources without limits or throttling. Specifically, the issue resides in the forgot_password.php endpoint (or its equivalent responsible for generating email-based one-time passwords, OTPs). This endpoint lacks proper rate limiting controls, allowing an unauthenticated attacker to repeatedly trigger OTP email generation without restriction. As a result, an attacker can abuse this functionality to send an excessive volume of OTP emails to targeted users. The consequences include potential denial-of-service (DoS) conditions on the email infrastructure or the Schule application itself due to resource exhaustion. Additionally, this can facilitate user harassment through email flooding, potentially impacting user trust and system reputation. The vulnerability does not require authentication or user interaction, making exploitation straightforward over the network. The issue was addressed and fixed in version 1.0.1 of Schule by implementing appropriate rate limiting controls on the OTP request functionality. The CVSS 4.0 base score is 6.6 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, no impact on confidentiality, integrity, or availability directly, but high impact on availability through resource exhaustion. No known exploits are reported in the wild as of the publication date.

For European organizations using Schule as their school management system, this vulnerability poses a risk primarily to service availability and user experience. Exploitation can lead to denial-of-service conditions by overwhelming the email system or the Schule application with excessive OTP requests, potentially disrupting password recovery workflows and other dependent services. This disruption can affect students, teachers, and administrative staff, impeding critical educational operations. Furthermore, the ability to flood users with OTP emails can cause harassment and reduce user confidence in the platform's security. Given the sensitive nature of educational data and the reliance on digital platforms in European schools, such disruptions could have cascading effects on educational continuity and compliance with data protection regulations like GDPR if user contact information is abused. However, since the vulnerability does not allow direct data compromise or privilege escalation, the confidentiality and integrity of data remain intact if exploited solely through this vector.

European organizations should immediately upgrade Schule installations to version 1.0.1 or later, where the vulnerability is patched with proper rate limiting controls. Until upgrade is possible, administrators can implement temporary mitigations such as deploying web application firewalls (WAFs) or reverse proxies configured to detect and throttle excessive OTP requests from single IP addresses or user accounts. Monitoring email sending patterns and setting thresholds for OTP email generation can help detect abuse early. Additionally, implementing CAPTCHA challenges on the OTP request form can reduce automated abuse. Organizations should also review email infrastructure capacity and alerting to handle potential spikes in email traffic. Educating users about potential phishing or harassment attempts related to OTP flooding is advisable. Finally, maintaining up-to-date backups and incident response plans will help mitigate any operational disruptions caused by exploitation attempts.