CVE-2025-65096 is a security vulnerability classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key). The affected product, RomM (ROM Manager), is an application that allows users to manage and play their game collections. Versions prior to 4.4.1-beta.2 suffer from a critical design flaw in the API that handles collection data retrieval. Specifically, the API does not verify whether the requesting user owns the collection or if the collection is marked as public or private before returning the data. This means that any user can access private collections belonging to others simply by knowing or guessing the collection IDs. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The impact is limited to confidentiality breaches of private user collections, potentially exposing sensitive or personal data stored within these collections. The issue was addressed in version 4.4.1 and 4.4.1-beta.2 by implementing proper ownership verification and privacy checks before returning collection data. Although no known exploits have been reported in the wild, the vulnerability poses a moderate risk due to the ease of exploitation and the sensitivity of private user data. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability.

For European organizations, especially those involved in digital entertainment, gaming communities, or software distribution, this vulnerability could lead to unauthorized disclosure of private user data stored in RomM collections. This may result in privacy violations, loss of user trust, and potential regulatory compliance issues under GDPR due to exposure of personal data. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach could be exploited for targeted social engineering or identity-related attacks. Organizations relying on RomM to manage user collections or integrate with other services may face reputational damage if private collections are leaked. The risk is higher for entities with large user bases or those operating in countries with strict data protection laws. Since exploitation requires no authentication and no user interaction, attackers can automate scanning for vulnerable collection IDs, increasing the scale of potential data exposure.

To mitigate this vulnerability, organizations should immediately upgrade all RomM instances to version 4.4.1 or later, where the issue is fixed. If upgrading is not immediately possible, implement network-level access controls to restrict API access to trusted users or internal networks only. Review and audit API endpoints to ensure proper access control and ownership verification are enforced. Employ rate limiting and monitoring to detect unusual access patterns that may indicate exploitation attempts. Educate users about the importance of not sharing collection IDs publicly. Additionally, conduct a privacy impact assessment to identify any exposed data and notify affected users if a breach is suspected. Integrate security testing in the development lifecycle to prevent similar authorization bypass issues in future releases.