CVE-2025-66291
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has permission to access the associated interview record. Because the server does not perform any recruitment-level authorization checks, an ESS-level user with no access to recruitment workflows can directly request interview attachment URLs and receive the corresponding files. This exposes confidential interview documentsβ€”including candidate CVs, evaluations, and supporting filesβ€”to unauthorized users. The issue arises from relying on predictable object identifiers and session presence rather than validating the user’s association with the relevant recruitment process. This issue has been patched in version 5.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66291
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OrangeHRM versions 5.0 to 5.7 allows an authenticated user with only ESS-level access (which normally does not include recruitment workflows) to retrieve confidential interview attachments. The system's interview attachment retrieval endpoint serves files based solely on an authenticated session and user-supplied identifiers without verifying if the user has permission to access the specific interview record. This means unauthorized users can access sensitive documents like candidate CVs and evaluations because the server does not perform recruitment-level authorization checks.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of confidential interview documents, including candidate CVs, evaluations, and supporting files. An ESS-level user without recruitment access can directly request and obtain sensitive recruitment files, potentially leading to privacy breaches, exposure of personal data, and damage to organizational confidentiality.

Mitigation Strategies

Upgrade OrangeHRM to version 5.8 or later, where the vulnerability has been patched. Until then, restrict ESS-level user access to recruitment modules and monitor access to interview attachment endpoints to prevent unauthorized file retrieval.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart