CVE-2025-65681: Critical Data Exposure Vulnerability in Overhang.IO (tutor-open-edx)

Overview

CVE-2025-65681 describes a sensitive data exposure vulnerability found in Overhang.IO (tutor-open-edx), specifically version 20.0.2. This vulnerability allows local unauthorized attackers to potentially access sensitive information due to the absence of proper cache-control HTTP headers and inadequate client-side session checks. Exploitation could lead to the leakage of user data, configuration details, or other confidential information.

Technical Details

The root cause of this vulnerability lies in the failure to implement proper cache-control HTTP headers. Without these headers, sensitive data may be cached by the browser or intermediate proxies, making it accessible to unauthorized users with local access to the system. Additionally, weak or non-existent client-side session checks further exacerbate the issue. For example, if sensitive information is displayed client-side without proper session validation, a user with access to the browser cache after a previous user has logged out might be able to view that information.

The vulnerability allows a locally logged-in attacker to potentially access cached data, including:

• User session tokens
• Configuration settings
• Personally identifiable information (PII)

CVSS Analysis

Due to the vulnerability’s characteristics, the CVSS score is currently listed as N/A. However, given that this is a data exposure issue, a proper CVSS score should be determined based on Confidentiality impact. While the vector is Local, the impact can be significant depending on the sensitivity of the data exposed. A future update may reflect a CVSS score once a full assessment has been completed.

Possible Impact

The successful exploitation of CVE-2025-65681 can lead to several negative consequences:

• Data Breach: Exposure of sensitive user data, leading to privacy violations and potential legal repercussions.
• Account Takeover: Compromised session tokens can allow attackers to impersonate legitimate users.
• System Compromise: Exposed configuration details might reveal weaknesses in the system’s security posture, which can be exploited in further attacks.
• Reputation Damage: A data breach can significantly damage the reputation of the organization using Overhang.IO.

Mitigation or Patch Steps

To mitigate this vulnerability, the following steps should be taken:

1. Upgrade to a patched version: Check the official Overhang.IO repository for updates and apply the latest patch that addresses CVE-2025-65681.
2. Implement strict cache-control headers: Ensure that all sensitive pages and API endpoints return HTTP responses with appropriate cache-control directives, such as no-cache, no-store, and private.
3. Strengthen client-side session checks: Implement robust client-side session validation to prevent unauthorized access to sensitive data even if it is temporarily cached. This includes verifying user authentication status before displaying any sensitive information.
4. Regularly review and audit code: Conduct regular security audits and code reviews to identify and address potential vulnerabilities.
5. Consult official documentation: Review the official tutor documentation for security best practices and configuration guidelines.

It is highly recommended to apply these mitigations as soon as possible to protect against potential exploitation.

References

• Overhang.IO (tutor-open-edx) Documentation
• CVE-2025-65681 Exploit Information
• Overhang.IO (tutor-open-edx) GitHub Repository