Overview
CVE-2025-65097 identifies a security vulnerability within RomM (ROM Manager), a software application that allows users to organize and manage their game collections. This vulnerability allows an authenticated user to delete collections belonging to other users without proper authorization checks. This means if you have an account on a RomM instance affected by this bug, you could potentially delete the game collections of other users on the same instance.
This vulnerability was present in versions prior to 4.4.1 and 4.4.1-beta.2 and has been fixed in versions 4.4.1 and 4.4.1-beta.2.
Technical Details
The vulnerability stems from the lack of ownership verification within the collection deletion process. Specifically, when a user sends a DELETE request to the collection endpoint (e.g., /api/collections/{collection_id}), the application fails to verify whether the user initiating the request is the actual owner of the collection identified by collection_id. This allows any authenticated user to delete any collection by simply knowing its ID.
The problematic code lies within the component responsible for handling DELETE requests to the collection endpoint. A missing check like collection.owner_id == user.id or equivalent is the root cause of this issue.
An example request would look like this:
DELETE /api/collections/1234
Authorization: Bearer [valid_user_token]
Where 1234 is the ID of the collection to be deleted, and [valid_user_token] is a valid authentication token for any user on the system, not necessarily the collection owner.
CVSS Analysis
Due to the specific context-dependent nature of this vulnerability, a CVSS score has not been assigned. However, the potential impact is significant, as it allows unauthorized modification of user data. A base score in the medium range would likely be appropriate depending on the specific deployment context.
Factors influencing the severity:
- Attack Vector: Network
- Attack Complexity: Low (requires only knowledge of a valid collection ID)
- Privileges Required: Low (requires only valid user authentication)
- User Interaction: None
- Scope: Unchanged (impacts the RomM instance)
- Confidentiality Impact: None
- Integrity Impact: High (deletion of data)
- Availability Impact: None
Possible Impact
The potential impact of this vulnerability is significant:
- Data Loss: Users could unintentionally or maliciously delete other users’ game collections, resulting in data loss.
- Denial of Service: Malicious actors could systematically delete all collections on the platform, effectively denying service to all users.
- Reputation Damage: The discovery and exploitation of this vulnerability could damage the reputation of RomM and its developers.
Mitigation or Patch Steps
The vulnerability has been fixed in RomM versions 4.4.1 and 4.4.1-beta.2. To mitigate this vulnerability, users should:
- Upgrade RomM: Immediately upgrade to version 4.4.1 or 4.4.1-beta.2 or later.
- Verify Permissions (If Possible): If you are running your own instance of RomM, carefully review the permission management code to ensure that access controls are correctly implemented.
