Overview
A significant security vulnerability, identified as CVE-2025-66291, has been discovered in OrangeHRM, a widely used human resource management system. This flaw allows unauthorized users to access sensitive interview attachments within the Recruitment module. Specifically, users with Employee Self-Service (ESS) level access, who should not have access to recruitment workflows, can potentially retrieve confidential interview documents, including candidate CVs, evaluations, and supporting files. This exposure stems from inadequate authorization checks during the retrieval of interview attachments.
Technical Details
The vulnerability exists in OrangeHRM versions 5.0 through 5.7. The issue arises because the interview attachment retrieval endpoint relies solely on an authenticated session and user-supplied identifiers. The server fails to verify if the requester has the necessary permissions to access the associated interview record within the Recruitment module. This means that if an attacker knows or can guess the URL of an attachment, they can access it without proper authorization if they have a valid, albeit low-privilege, session. The system relies on predictable object identifiers and the presence of a valid session cookie, rather than validating the user’s association with the relevant recruitment process.
CVSS Analysis
The CVSS score and severity for CVE-2025-66291 are currently N/A. However, the impact of this vulnerability is potentially high due to the sensitive nature of the exposed data. A proper CVSS score will be calculated based on the confidentiality impact, attack complexity, and other factors.
Possible Impact
The exploitation of CVE-2025-66291 could have serious consequences:
- Data Breach: Exposure of confidential candidate information, including CVs, contact details, and evaluations.
- Compliance Violations: Potential violation of data privacy regulations (e.g., GDPR, CCPA) due to unauthorized access to personal data.
- Reputational Damage: Loss of trust and damage to the organization’s reputation if a data breach occurs.
- Competitive Advantage: Competitors could gain access to sensitive recruitment information, such as candidate profiles and evaluation processes.
Mitigation and Patch Steps
The vulnerability has been patched in OrangeHRM version 5.8. It is strongly recommended that all users running affected versions (5.0 to 5.7) upgrade to version 5.8 immediately. If immediate upgrading is not possible, consider implementing temporary workarounds, such as limiting ESS user access and closely monitoring access logs for suspicious activity. However, upgrading to version 5.8 is the definitive solution.
