Overview
CVE-2025-65096 describes a vulnerability in RomM (ROM Manager), a popular application used for managing game ROM collections. Prior to versions 4.4.1 and 4.4.1-beta.2, the application lacked proper authorization checks, allowing malicious users to potentially access and read private game collection data belonging to other users via direct API calls. This vulnerability could expose sensitive information about a user’s game collection, potentially leading to privacy breaches.
Technical Details
The vulnerability stems from a missing authorization check when retrieving collection data via the RomM API. Specifically, the application fails to verify ownership or the public/private status of a collection before returning its data. An attacker could exploit this by directly accessing the API endpoint responsible for retrieving collection information and supplying the ID of another user’s collection.
For example, if a user’s private collection ID is known (or brute-forced), an attacker could make a request like:
GET /api/collections/{collection_id}
Without proper validation, the API would return the contents of the collection, regardless of its privacy settings.
CVSS Analysis
Currently, the CVSS score for CVE-2025-65096 is listed as N/A. However, given the nature of the vulnerability – unauthorized access to potentially sensitive user data – a CVSS score should be determined and assigned. Based on the impact, a moderate to high severity score is likely, depending on the confidentiality requirements of the data stored in user collections.
A preliminary estimate would be a CVSS v3 score in the range of 5.3 to 7.5, considering the Confidentiality impact is High and the Attack Complexity is Low, while User Interaction is None.
Possible Impact
The exploitation of CVE-2025-65096 could lead to several negative consequences:
- Privacy Breach: Attackers could gain unauthorized access to users’ private game collection data, potentially revealing sensitive information about their gaming preferences.
- Data Harvesting: Attackers could automate the process of harvesting collection data across multiple users, aggregating valuable information.
- Targeted Attacks: The exposed data could be used to target specific users with phishing or social engineering attacks, tailored to their gaming interests.
Mitigation or Patch Steps
The vulnerability has been addressed in RomM versions 4.4.1 and 4.4.1-beta.2. Users are strongly advised to upgrade to one of these versions or a later release as soon as possible. The update includes proper authorization checks to ensure that only authorized users can access collection data.
To update RomM:
- Check your current RomM version.
- Download the latest version (4.4.1 or later) from the official RomM website.
- Follow the installation instructions provided in the RomM documentation.
