CVE-2025-65672 is an Insecure Direct Object Reference (IDOR) vulnerability identified in classroomio version 0.1.13. IDOR vulnerabilities occur when an application exposes internal object references (such as database keys or file names) without proper authorization checks, allowing attackers to manipulate these references to access unauthorized resources. In this case, the vulnerability allows unauthorized users to gain share and invite access to course settings, which should be restricted to authorized instructors or administrators. This means an attacker can potentially add themselves or others to courses, modify course configurations, or share course access links without permission. The vulnerability arises due to insufficient validation of user permissions when handling requests related to course sharing and invitations. Although no CVSS score has been assigned and no exploits are currently known in the wild, the flaw represents a significant risk because it compromises the integrity and confidentiality of course data. The affected version is 0.1.13, and no patch links are currently provided, indicating that a fix may not yet be available or publicly disclosed. The vulnerability was reserved and published in November 2025, suggesting it is a recent discovery. Since classroomio is an educational platform, unauthorized access could disrupt educational workflows, expose sensitive student or instructor information, and undermine trust in the platform. The lack of authentication requirements or weak access controls makes exploitation relatively straightforward for attackers who can identify valid course identifiers. This vulnerability highlights the critical need for robust access control mechanisms in web applications managing sensitive educational content.

For European organizations, especially educational institutions, e-learning providers, and corporate training departments using classroomio, this vulnerability could lead to unauthorized access and manipulation of course content and settings. Confidentiality of course materials and participant information could be compromised, potentially exposing personal data protected under GDPR. Integrity of courses could be undermined by unauthorized sharing or invitations, leading to unauthorized participants gaining access or malicious alterations to course configurations. This could disrupt educational activities, damage institutional reputations, and result in regulatory penalties if personal data is exposed. The impact is particularly significant for organizations relying heavily on digital learning platforms for remote or hybrid education. Additionally, unauthorized access could facilitate further attacks such as phishing or social engineering by leveraging trust in course communications. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details become widely known. The lack of a patch increases the urgency for organizations to implement compensating controls. Overall, the vulnerability poses a high risk to confidentiality, integrity, and availability of educational resources within European contexts.

Organizations using classroomio should immediately audit access controls related to course sharing and invitation functionalities. Until an official patch is released, implement strict server-side validation to ensure that only authorized users (e.g., course owners or administrators) can perform share or invite actions. Employ role-based access control (RBAC) to restrict permissions and verify user identities before processing requests involving course settings. Monitor logs for unusual access patterns or unauthorized share/invite attempts. Educate instructors and administrators about the risk and encourage them to report suspicious activity. If possible, disable or restrict sharing and invitation features temporarily to reduce exposure. Engage with the classroomio vendor or community to obtain updates or patches addressing the vulnerability. Consider deploying web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting course identifiers. Conduct penetration testing focused on IDOR vulnerabilities to identify similar weaknesses. Finally, ensure that all sensitive data related to courses and users is encrypted and access is logged for audit purposes.