Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-67298 is a critical email verification bypass vulnerability in ClassroomIO versions prior to 0.2.6. The issue arises because the application trusts client-controlled data for email verification and uses unsigned, unvalidated Base64-encoded tokens for verification links. Attackers can exploit this by either manipulating the JSON response to set the "is_email_verified" flag to true or by forging Base64 tokens to mark any user\'s email as verified without legitimate verification.'}, {'type': 'paragraph', 'content': 'The root causes include trusting client-supplied fields, using unsigned Base64 tokens instead of cryptographically secure tokens, and lack of server-side validation for token ownership, integrity, and expiration.'}, {'type': 'list_item', 'content': 'Direct JSON Manipulation: Modifying the "is_email_verified" flag in the user profile response to true.'}, {'type': 'list_item', 'content': 'Base64 Token Forgery: Creating forged Base64-encoded tokens to bypass email verification.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to completely bypass the email verification process, enabling them to impersonate verified users without access to their email inboxes.

As a result, attackers can gain unauthorized membership in organizations, escalate privileges, and potentially target administrator accounts, compromising the security and integrity of the platform.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and inspecting API requests to the endpoints /api/verify and /rest/v1/profile for suspicious manipulation of the is_email_verified flag or forged Base64 tokens.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking if the is_email_verified field in JSON responses or requests is being altered client-side to true without proper server validation.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic inspection tools like curl or wget to fetch user profile data and verify the integrity of the is_email_verified flag, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "https://app.classroomio.com/rest/v1/profile?select=*&id=eq.<user-id>" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'Additionally, intercepting and analyzing requests with tools like Burp Suite or Wireshark can help detect if the is_email_verified flag is being manipulated or if unsigned Base64 tokens are used in verification links.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and mandatory step to mitigate this vulnerability is to upgrade ClassroomIO to version 0.2.6 or later, which contains critical security fixes addressing the email verification bypass.

This update includes cryptographically secure verification tokens with expiration, server-side validation with signature verification, database-level safeguards, and multi-layered frontend protections.

It is recommended to deploy this security release in production within 24 hours of its release to maintain platform security.

Other mitigation steps include disabling legacy Base64 verification methods, invalidating old verification links, and requiring users to receive new verification emails with the improved verification flow.

Useful 0 Not Useful 0