CVE-2025-65096 is a vulnerability classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key) affecting RomM (ROM Manager), a software application designed to manage game collections. Versions prior to 4.4.1-beta.2 do not properly verify ownership or privacy settings when users access collections via the API. Specifically, the API allows any user to retrieve private or smart collections belonging to other users simply by specifying the collection ID, without any authentication or authorization checks. This results in unauthorized disclosure of potentially sensitive user data. The vulnerability does not require user interaction or privileges beyond network access, making it relatively easy to exploit remotely. The issue was publicly disclosed and assigned a CVSS 4.0 score of 5.3, indicating a medium severity impact primarily due to confidentiality loss. The flaw was addressed in version 4.4.1 and 4.4.1-beta.2 by implementing proper ownership verification and privacy checks before returning collection data. There are no known active exploits in the wild as of the publication date. This vulnerability highlights the importance of enforcing strict access control and validating user permissions in API endpoints, especially when handling private user data.

For European organizations, the primary impact of this vulnerability is the unauthorized disclosure of private user collections, which could include sensitive or proprietary information related to game libraries or user preferences. This exposure can lead to privacy violations, reputational damage, and potential regulatory non-compliance under GDPR if personal data is involved. Gaming communities and platforms relying on RomM may face user trust erosion and increased support costs due to data leakage concerns. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone is significant. Organizations operating in sectors with strict data protection requirements or those hosting large user bases are particularly at risk. Additionally, attackers could leverage the exposed data for social engineering or targeted attacks. The lack of authentication or user interaction requirements increases the risk of automated or large-scale data harvesting attacks.

The primary mitigation is to upgrade all affected RomM instances to version 4.4.1 or later, where the vulnerability is fixed. Organizations should audit their RomM deployments to identify versions below 4.4.1-beta.2 and prioritize patching. Additionally, implement network-level access controls to restrict API access to trusted users or internal networks where feasible. Conduct thorough reviews of API endpoints to ensure proper ownership and privacy checks are enforced consistently. Employ monitoring and logging of API access to detect unusual or unauthorized queries for collection data. Educate users about the importance of updating software promptly and maintaining strong authentication practices. If immediate patching is not possible, consider disabling or restricting the vulnerable API endpoints temporarily. Finally, review privacy policies and data handling procedures to ensure compliance with GDPR and other relevant regulations.