CVE-2025-67259 | THREATINT

Description

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.

PUBLISHED Reserved 2025-12-08 | Published 2026-04-24 | Updated 2026-04-24 | Assigner mitre

References

github.com/classroomio/classroomio/issues/642 exploit

drive.google.com/...mBo4FdOo_27q-4H9MV34/view?usp=drive_link

github.com/classroomio/classroomio/issues/642

cve.org (CVE-2025-67259)

nvd.nist.gov (CVE-2025-67259)

Download JSON