CVE-2025-64516
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi_project | glpi | 10.0.21 |
| glpi_project | glpi | 11.0.3 |
| glpi_project | glpi | From 10.0.0 (inc) to 10.0.21 (exc) |
| glpi_project | glpi | From 11.0.0 (inc) to 11.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64516 is a high-severity vulnerability in the GLPI asset and IT management software that allows unauthorized users to access documents attached to any item (such as tickets or assets). If the public FAQ feature is enabled, even anonymous users without any privileges can exploit this flaw. The root cause is improper access control due to insufficient filtering of document-item relationships, allowing documents not properly linked to an item to be accessed. The vulnerability arises from authorization bypass through user-controlled keys and improper SQL query joins, which were fixed by changing LEFT JOINs to INNER JOINs and adding strict filtering conditions to ensure documents are only accessible if explicitly linked to the item and the user has appropriate permissions. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive documents within the GLPI system, resulting in a high confidentiality loss. Unauthorized or anonymous users may gain access to documents they should not see, potentially exposing sensitive information related to IT assets, tickets, or other managed items. This can compromise the privacy and security of organizational data and may lead to further exploitation or data breaches. [2, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-64516, immediately upgrade your GLPI installation to version 10.0.21 or 11.0.3, as these versions include the security fixes that prevent unauthorized access to documents. The updates address improper access control by enforcing strict document-item relation filtering and improving permission checks. Applying these official patches is the recommended and effective mitigation step. [2, 5, 4]