CVE-2025-67298
Privilege Escalation in ClassroomIO via /api/verify and /profile
Publication date: 2026-03-11
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| classroomio | classroomio | to 0.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-67298 is a critical email verification bypass vulnerability in ClassroomIO versions prior to 0.2.6. The issue arises because the application trusts client-controlled data for email verification and uses unsigned, unvalidated Base64-encoded tokens for verification links. Attackers can exploit this by either manipulating the JSON response to set the "is_email_verified" flag to true or by forging Base64 tokens to mark any user\'s email as verified without legitimate verification.'}, {'type': 'paragraph', 'content': 'The root causes include trusting client-supplied fields, using unsigned Base64 tokens instead of cryptographically secure tokens, and lack of server-side validation for token ownership, integrity, and expiration.'}, {'type': 'list_item', 'content': 'Direct JSON Manipulation: Modifying the "is_email_verified" flag in the user profile response to true.'}, {'type': 'list_item', 'content': 'Base64 Token Forgery: Creating forged Base64-encoded tokens to bypass email verification.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows attackers to completely bypass the email verification process, enabling them to impersonate verified users without access to their email inboxes.
As a result, attackers can gain unauthorized membership in organizations, escalate privileges, and potentially target administrator accounts, compromising the security and integrity of the platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and inspecting API requests to the endpoints /api/verify and /rest/v1/profile for suspicious manipulation of the is_email_verified flag or forged Base64 tokens.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking if the is_email_verified field in JSON responses or requests is being altered client-side to true without proper server validation.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic inspection tools like curl or wget to fetch user profile data and verify the integrity of the is_email_verified flag, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "https://app.classroomio.com/rest/v1/profile?select=*&id=eq.<user-id>" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'Additionally, intercepting and analyzing requests with tools like Burp Suite or Wireshark can help detect if the is_email_verified flag is being manipulated or if unsigned Base64 tokens are used in verification links.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and mandatory step to mitigate this vulnerability is to upgrade ClassroomIO to version 0.2.6 or later, which contains critical security fixes addressing the email verification bypass.
This update includes cryptographically secure verification tokens with expiration, server-side validation with signature verification, database-level safeguards, and multi-layered frontend protections.
It is recommended to deploy this security release in production within 24 hours of its release to maintain platform security.
Other mitigation steps include disabling legacy Base64 verification methods, invalidating old verification links, and requiring users to receive new verification emails with the improved verification flow.