CVE-2025-65681 is a vulnerability identified in Overhang.IO's tutor-open-edx platform, specifically version 20.0.2. The issue arises from the absence of proper cache-control HTTP headers combined with insufficient client-side session checks. This flaw allows local unauthorized attackers—those with access to the local system but without elevated privileges—to gain access to sensitive information that should otherwise be protected. The lack of cache-control headers means that sensitive pages or data may be stored in the browser cache or intermediary caches, potentially exposing them to unauthorized users. Additionally, the client-side session validation is inadequate, meaning that session state is not reliably enforced on the server side, allowing attackers to bypass session restrictions through manipulation on the client side. The vulnerability is classified under CWE-524 (Information Exposure Through Cache) and CWE-384 (Session Fixation), indicating issues with caching sensitive data and session management. The CVSS v3.1 score is 3.3, reflecting low severity due to the requirement for local access, lack of privileges, and the need for user interaction. There is no evidence of active exploitation in the wild, and no patches have been linked yet. However, the vulnerability could lead to unauthorized disclosure of sensitive educational or user data within the affected platform.

For European organizations utilizing Overhang.IO's tutor-open-edx platform, this vulnerability poses a risk of sensitive information disclosure. Educational institutions, training providers, and corporate learning departments relying on this platform could have confidential student or employee data exposed to unauthorized local users. Although the vulnerability requires local access and user interaction, insider threats or compromised local machines could exploit this to extract sensitive information. The impact on confidentiality could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Since the vulnerability does not affect data integrity or availability, operational disruption is unlikely. However, the exposure of sensitive data in educational environments can undermine trust and lead to secondary attacks if attackers gain further footholds.

To mitigate CVE-2025-65681, organizations should implement strict cache-control HTTP headers on all sensitive pages and API responses to prevent caching of confidential data by browsers or intermediaries. This includes headers such as 'Cache-Control: no-store, no-cache, must-revalidate' and 'Pragma: no-cache'. Additionally, server-side session management must be strengthened to enforce session validation independently of client-side checks, ensuring that session tokens are verified on the server for every request. Organizations should audit their deployment of tutor-open-edx to confirm these controls are in place and consider upgrading to patched versions once available. Local access controls should be tightened to limit unauthorized users from accessing systems running the platform. Regular security training for staff to recognize and prevent local exploitation attempts is recommended. Monitoring and logging access to sensitive data can help detect potential exploitation attempts early.