CVE-2025-62396
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-11-14

Assigner: Fedora Project

Description
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-11-14
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62396
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
moodle moodle From 4.5.0 (inc) to 4.5.7 (exc)
moodle moodle From 5.0.0 (inc) to 5.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-548 The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62396 is a medium severity vulnerability in Moodle's router script (r.php) caused by improper error handling. When HTTP requests do not include the 'Accept: text/html' header, the router may mistakenly display internal directory listings. This exposes the application's directory structure and potentially sensitive environment information to unauthorized users. [1]

Impact Analysis

This vulnerability can expose internal directory listings of the Moodle application to unauthorized users, potentially revealing sensitive information about the application's environment. Such exposure can aid attackers in further exploiting the system or understanding its structure, increasing the risk of targeted attacks. [1]

Detection Guidance

You can detect this vulnerability by sending HTTP requests to the Moodle router script (r.php) without the 'Accept: text/html' header and checking if the server returns directory listings. For example, use curl to test this behavior: curl -v -H "Accept:" http://your-moodle-site/path/to/r.php and observe if directory listings are returned instead of normal content. [1]

Mitigation Strategies

The immediate mitigation is to upgrade Moodle to versions 4.5.7 or later, or 5.0.3 or later, where this vulnerability has been fixed. Until then, ensure that HTTP requests to r.php include proper 'Accept: text/html' headers or implement web server rules to block requests missing this header to prevent directory listings from being exposed. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart