CVE-2025-66290
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confirm that the requesting user has the necessary recruitment permissions. As a result, any authenticated user can download CVs and other uploaded documents for arbitrary candidates by issuing direct requests to the attachment endpoint, leading to unauthorized exposure of sensitive applicant data. This issue has been patched in version 5.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66290
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OrangeHRM versions 5.0 to 5.7 where the recruitment attachment retrieval endpoint does not enforce authorization checks. This means that even users with limited ESS-level access, who normally cannot view the Recruitment module, can directly access candidate attachment URLs. The system validates the user's session but fails to verify if the user has permission to access recruitment data, allowing any authenticated user to download sensitive candidate files such as CVs and other uploaded documents without proper authorization.

Impact Analysis

The vulnerability can lead to unauthorized exposure of sensitive applicant data. Any authenticated user, regardless of their permission level, can access and download confidential candidate attachments. This could result in privacy breaches, data leaks, and potential misuse of personal information contained in the recruitment documents.

Mitigation Strategies

Upgrade OrangeHRM to version 5.8 or later, where the issue has been patched. Until the upgrade can be applied, restrict access to the recruitment attachment retrieval endpoint to authorized users only, and monitor authenticated requests to this endpoint for unusual access patterns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart