CVE-2025-65670

MEDIUM

classroomio <0.1.13 - Info Disclosure

Title source: llm

Description

An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.

Exploits (1)

nomisec WRITEUP

by Rivek619 · poc

https://github.com/Rivek619/CVE-2025-65670

View Code ZIP pw:eip

References (3)

[Product] http://classroomio.com

[Exploit, Third Party Advisory] https://github.com/Rivek619/CVE-2025-65670

[Product] https://github.com/classroomio/classroomio

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-639

Status published

Products (1)

classroomio/classroomio 0.1.13

Published Nov 26, 2025

Tracked Since Feb 18, 2026