CVE-2025-66911

MEDIUM

Turms IM Server <= 0.10.0-SNAPSHOT - Authenticated Improper Access Control in User Online Status Query

Title source: llm

Description

Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks.

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md

View Exploit ZIP pw:eip

Product

https://github.com/turms-im/turms

Product

https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239

Scores

CVSS v3 6.5

EPSS 0.0028

EPSS Percentile 19.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-639

Status published

Products (1)

turms-im/turms 0.10.0-snapshot

Published Dec 19, 2025

Tracked Since Feb 18, 2026