CVE-2025-65669

CriticalPublic PoC

Published: 26 November 2025

Published

26 November 2025

Modified

03 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0022 44.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources like course deletion, directly preventing unauthorized students or unauthenticated attackers from bypassing admin-only restrictions.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict course deletion exclusively to admin users, mitigating the vulnerability's allowance of student-level unauthorized destructive actions.

AC-24 Access Control Decisions good match

prevent

Requires verification of access authorizations prior to permitting actions on system resources, ensuring delete operations on the Explore page check for admin privileges.

Security SummaryAI

CVE-2025-65669 is a missing authorization vulnerability (CWE-862) discovered in classroomio version 0.1.13, published on 2025-11-26. The flaw allows student accounts to delete courses directly from the Explore page without any authorization or authentication checks, circumventing the intended restriction that limits course deletion to admin users only. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts.

Any unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By accessing the Explore page, an attacker could delete arbitrary courses, disrupting service availability and integrity for all users relying on the platform, as there are no protections enforcing admin privileges for this action.

References include the vendor site at http://classroomio.com and GitHub repositories such as https://github.com/classroomio/classroomio and https://github.com/Rivek619/CVE-2025-65669, which likely contain additional details or proof-of-concept code, though specific mitigation or patch guidance is not detailed in the available information.

Details

CWE(s): CWE-862

Affected Products

classroomio

0.1.13

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Broken access control in public-facing web app (classroomio) enables exploitation (T1190), privilege escalation for student accounts to perform admin-only course deletion (T1068), facilitating data destruction (T1485).

References

http://classroomio.com
Product · cve@mitre.org
https://github.com/Rivek619/CVE-2025-65669
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/classroomio/classroomio
Product · cve@mitre.org
https://github.com/Rivek619/CVE-2025-65669
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0