CVE-2025-65096
BaseFortify
Publication date: 2025-12-03
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| romm.app | romm | to 4.4.1 (exc) |
| romm.app | romm | 4.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in RomM (ROM Manager) versions prior to 4.4.1 and 4.4.1-beta.2 allows users to access private or smart collections of other users by directly using their collection IDs via the API. The system does not verify ownership or check whether the collection is public or private before returning the collection data, leading to unauthorized access.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of private game collections belonging to other users. This means sensitive or personal data stored in these collections could be exposed to unauthorized users, potentially compromising user privacy and trust.
What immediate steps should I take to mitigate this vulnerability?
Update RomM (ROM Manager) to version 4.4.1 or later, or to 4.4.1-beta.2 or later, as these versions contain the fix for this vulnerability.