CVE-2025-64012
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-17

Assigner: MITRE

Description
InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64012
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
invoiceplane invoiceplane 1.6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized access to sensitive financial and customer information by bypassing ownership checks on invoice data. Such unauthorized disclosure of personal and financial data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal data. Therefore, the vulnerability poses a risk to compliance with these common standards and regulations. [1]

Executive Summary

CVE-2025-64012 is an Insecure Direct Object Reference (IDOR) vulnerability in InvoicePlane version 1.6.1. It occurs because the invoices/view handler does not verify ownership before returning invoice data. This allows an authenticated user to access invoices belonging to other users by manipulating the invoice ID parameter in the request URL, leading to unauthorized disclosure of invoice data. [1]

Impact Analysis

This vulnerability can lead to unauthorized read access to sensitive financial and customer information. It breaches tenant or user isolation by allowing users to view invoices that do not belong to them, potentially exposing confidential data and causing privacy and security risks. [1]

Detection Guidance

This vulnerability can be detected by attempting to access invoice data belonging to other users by manipulating the invoice_id parameter in the URL path /invoices/view/{invoice_id} while authenticated as a different user. For example, you can log in as one user, capture the invoice_id from a legitimate invoice request, then log in as another user and try to access the first user's invoice by changing the invoice_id in the URL. If the invoice data is returned without proper ownership verification, the system is vulnerable. Commands to test this could include using curl or similar HTTP clients to send requests with modified invoice_id parameters, such as: curl -b cookies.txt https://your-invoiceplane-instance/invoices/view/{invoice_id} where cookies.txt contains the authenticated session cookies of the second user. Observing if unauthorized invoice data is returned indicates the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading InvoicePlane to a version later than 1.6.1 where this vulnerability has been addressed. Additionally, review and correct any URL endpoints related to guest download attachments as per the reverted commit to ensure proper access controls are enforced. Specifically, ensure that ownership or permission checks are implemented on invoice view and download handlers to prevent unauthorized access. If upgrading is not immediately possible, restrict access to the invoice view endpoints to trusted users and monitor for suspicious access patterns. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64012. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart