CVE-2025-65097 is an improper access control vulnerability (CWE-284) identified in the RomM (ROM Manager) application, which is used for managing game collections. The vulnerability exists in versions prior to 4.4.1-beta.2, where the application fails to verify ownership before processing DELETE requests on collections. An authenticated user can exploit this by sending a direct DELETE HTTP request to the collection endpoint, deleting collections owned by other users without authorization. This lack of ownership verification violates access control principles and can lead to unauthorized data deletion. The vulnerability does not require user interaction beyond the authenticated request and does not require elevated privileges beyond authentication. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on integrity (VI:H) but no impact on confidentiality or availability. The vulnerability was reserved on 2025-11-17 and published on 2025-12-03, with no known exploits in the wild at the time of publication. The issue is resolved in RomM versions 4.4.1 and 4.4.1-beta.2 by implementing proper ownership verification before allowing deletion of collections.

For European organizations using RomM in environments where multiple users manage game collections, this vulnerability poses a significant risk to data integrity and availability. Unauthorized deletion of collections can lead to loss of valuable user data, disruption of services, and potential user dissatisfaction. In scenarios where RomM is integrated into larger systems or used in gaming communities, this could result in operational disruption and reputational damage. Although confidentiality is not directly impacted, the ability for one user to delete another's data undermines trust and could facilitate further malicious activities if combined with other vulnerabilities. The ease of exploitation and lack of required user interaction increase the likelihood of abuse. Organizations relying on RomM for digital asset management must consider this vulnerability critical to address to maintain service reliability and user trust.

The primary mitigation is to upgrade RomM to version 4.4.1 or later, where the vulnerability is fixed by enforcing ownership verification on DELETE requests. Organizations should audit their current RomM deployments to identify affected versions and prioritize patching. Additionally, implement monitoring and logging of DELETE requests to detect unusual or unauthorized deletion attempts. Restrict access to the RomM API endpoints to trusted networks or users where possible. Employ role-based access controls (RBAC) to limit permissions to only those users who require deletion capabilities. Conduct regular security reviews of access control mechanisms in multi-user applications. If immediate patching is not feasible, consider implementing a web application firewall (WAF) rule to block unauthorized DELETE requests or require additional authentication factors for destructive actions.