CVE-2025-10209
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-10
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-09-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10209
EUVD
EUVD-2025-27606
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ciur papermerge_dms 3.5.3
ciur papermerge_dms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-10209 is a broken function level authorization vulnerability in Papermerge DMS up to version 3.5.3. It occurs because the system fails to properly enforce authorization checks at the function level, allowing an authenticated user to perform actions or access resources beyond their permissions. Specifically, a remote attacker with a valid authorization token from another user can delete folders and associated data that do not belong to them, leading to unauthorized access and actions within the application. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing a remote authenticated attacker to delete folders and data belonging to other users, compromising data integrity and availability. Unauthorized deletion of resources can disrupt business operations, cause data loss, and potentially lead to privilege escalation or unauthorized actions within the system. [2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of CVE-2025-10209 involves monitoring for unauthorized use of valid authorization tokens from different user accounts to perform actions such as folder deletion. Since the vulnerability is related to improper authorization token handling, you can look for unusual API calls or requests that delete folders or resources not owned by the authenticated user. Specific commands are not provided in the resources, but general detection could include reviewing access logs for suspicious deletion requests or using network monitoring tools to identify anomalous authorization token usage. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the Papermerge DMS system to trusted users only, monitoring and auditing user actions closely, and considering disabling or limiting folder deletion functionality if possible. Since no vendor patch or official mitigation is available and the vendor did not respond, users are advised to consider replacing the affected product or implementing additional access controls externally to prevent unauthorized token use. [3, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart