CVE-2025-65097
BaseFortify
Publication date: 2025-12-03
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| romm.app | romm | to 4.4.1 (exc) |
| romm.app | romm | 4.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in RomM (ROM Manager) allows an authenticated user to delete game collections belonging to other users by sending a DELETE request directly to the collection endpoint without any ownership verification. This means users can remove collections they do not own.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized deletion of other users' game collections, resulting in data loss and potential disruption of service for affected users. It compromises data integrity and user trust in the application.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade RomM (ROM Manager) to version 4.4.1 or 4.4.1-beta.2 or later, where the issue has been fixed by adding ownership verification before deleting collections.