CVE-2025-65672 identifies an Insecure Direct Object Reference (IDOR) vulnerability in classroomio version 0.1.13, a platform used for managing educational courses. IDOR vulnerabilities occur when an application exposes internal object references (such as database keys or file names) without proper authorization checks, allowing attackers to manipulate these references to access unauthorized data. In this case, the vulnerability allows unauthenticated attackers to gain unauthorized access to course sharing and invitation settings. This means an attacker can view or potentially modify who is invited to courses or who has sharing permissions, without needing any credentials or user interaction. The CVSS score of 7.5 (high) reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on confidentiality, with no impact on integrity or availability. The vulnerability is classified under CWE-639, which relates to authorization bypass through improper validation of object references. No patches or known exploits are currently available, but the risk remains significant due to the sensitive nature of educational data and the potential for privacy breaches. The vulnerability could be exploited remotely, making it a critical concern for institutions relying on classroomio for course management. Organizations should urgently assess their exposure and implement compensating controls until an official patch is released.

For European organizations, this vulnerability poses a serious risk to the confidentiality of educational data, including course content, participant lists, and invitation controls. Unauthorized access to course sharing and invite settings could lead to exposure of sensitive student information, unauthorized enrollment, or manipulation of course participation. This can result in privacy violations under GDPR and other data protection regulations, potentially leading to legal and financial repercussions. The lack of required authentication and user interaction increases the likelihood of exploitation, especially in remote learning environments where classroomio may be widely used. The impact is primarily on confidentiality, with no direct effect on data integrity or system availability. However, unauthorized access could indirectly affect integrity if attackers modify sharing settings. The vulnerability could undermine trust in educational platforms and disrupt academic operations if exploited at scale.

1. Immediately review and restrict access controls on course sharing and invitation functionalities within classroomio, ensuring that only authorized users can modify these settings. 2. Implement server-side authorization checks that validate user permissions for every request involving object references, preventing unauthorized access even if object identifiers are manipulated. 3. Monitor logs for unusual access patterns or repeated attempts to access or modify course settings without proper authorization. 4. If possible, deploy web application firewalls (WAFs) with rules designed to detect and block suspicious requests targeting course sharing endpoints. 5. Engage with the classroomio vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Educate administrators and users about the risks of sharing course access links or credentials and encourage the use of multi-factor authentication where supported. 7. Conduct regular security assessments and penetration testing focused on authorization controls to detect similar vulnerabilities proactively.