CVE-2025-53113: GLPI Information Disclosure Vulnerability Allows Unauthorized Access
GLPI (Gestionnaire Libre de Parc Informatique) is a widely-used open-source IT asset management and service desk software. A recent vulnerability, CVE-2025-53113, allows technicians with high privileges to potentially access information about items they should not have access to via the external links feature. This post details the vulnerability, its impact, and how to mitigate it.
Vulnerability Details
- CVE ID: CVE-2025-53113
- Description: GLPI versions 0.65 through 10.0.18 are vulnerable to an information disclosure flaw. A technician with high privileges can leverage the external links feature to fetch information about items they lack the proper authorization to view.
- CVSS Score: 2.7 (Low)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
- CVSS Explanation: This low severity score reflects that a successful exploit requires high privileges. The impact is limited to confidentiality (read access), with no impact on integrity or availability. The attack can be performed over the network with low complexity and no user interaction.
- Exploit Requirements: An attacker needs to be a technician account with high privileges in the vulnerable GLPI instance.
- Affected Vendor: GLPI Project
- Affected Product: GLPI
- Affected Versions: 0.65 through 10.0.18
- CWE: CWE-862 (Missing Authorization) & CWE-284 (Improper Access Control)
- CWE Explanation: CWE-862 and CWE-284 describe vulnerabilities where the software fails to properly verify that the user has the necessary permissions to access a resource or perform an action. In this case, the external links feature does not adequately validate the technician's authorization to view the linked information.
Timeline of Events
- 2025-07-30: Vulnerability publicly disclosed.
- 2025-07-30: CVE-2025-53113 assigned.
- 2025-07-30: Fixed version 10.0.19 released.
Exploitability & Real-World Risk
While the CVSS score is low, the risk depends on your GLPI instance. A malicious technician, or a compromised technician account, could use this vulnerability to gather sensitive information about IT assets, users, or other critical data they shouldn't have access to. This information could then be used for further attacks or unauthorized activities. The relatively simple exploit condition (only requiring a higher privileged account) makes it practical in a real-world scenario.
Recommendations
- Upgrade to version 10.0.19 or later: This version contains the fix for CVE-2025-53113.
- Review technician privileges: Ensure technicians only have the necessary privileges to perform their duties.
- Monitor GLPI logs: Look for suspicious activity related to the external links feature.
Technical Insight
The vulnerability resides in how the external links feature handles authorization checks. Specifically, when a technician uses this feature to fetch data, the application fails to properly verify if the technician has permission to view the underlying data associated with that link. By exploiting this oversight, a technician can potentially bypass intended access controls.
Credit to Researcher(s)
This vulnerability was reported via GitHub Security Advisory.
References
Tags
#GLPI #InformationDisclosure #PHP #CVE-2025-53113 #AssetManagement #ITIL #Security
Summary: CVE-2025-53113 is an information disclosure vulnerability in GLPI versions 0.65 through 10.0.18. A technician with high privileges can use the external links feature to access information about items they should not have access to. Upgrade to version 10.0.19 to fix this issue.
CVE ID: CVE-2025-53113
Risk Analysis: A malicious or compromised technician can gain unauthorized access to sensitive IT asset information, potentially leading to further attacks or misuse of data.
Recommendation: Upgrade to GLPI version 10.0.19 or later to patch the vulnerability. Review and restrict technician privileges to minimize potential impact.
Timeline
- 2025-07-30: Vulnerability publicly disclosed and CVE assigned.
- 2025-07-30: GLPI version 10.0.19 released with a fix.