CVE-2025-53357: GLPI Reservation Alteration Vulnerability

GLPI, a widely-used IT asset management software, is affected by a vulnerability that allows a connected user to alter the reservations of another user. This poses a risk to data integrity and proper resource allocation within organizations using GLPI.

Vulnerability Details

• CVE ID: CVE-2025-53357
• Description: A connected user can alter the reservations of another user due to improper access control.
• CVSS Score: 5.4 (Medium)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
• CVSS Explanation: This means the vulnerability is remotely exploitable (Network attack vector) with low complexity. An attacker needs low privileges (LOW) to exploit it, and no user interaction is required. The impact on confidentiality and integrity is limited (LOW for both), and there's no impact on availability.
• Exploit Requirements: An attacker needs to be a connected/authenticated user within the GLPI system.
• Affected Vendor: GLPI-project
• Affected Product: GLPI
• Affected Versions: 0.78 through 10.0.18
• CWE: CWE-639 - Authorization Bypass Through User-Controlled Key
• CWE Explanation: This CWE describes a situation where an application uses a user-controlled key or identifier to directly access or modify resources, bypassing proper authorization checks. An attacker can modify this key to access resources belonging to other users.

Timeline of Events

• Report Date: Unknown
• Published Date: 2025-07-30
• Fix Date: Fixed in version 10.0.19

Exploitability & Real-World Risk

This vulnerability is relatively easy to exploit for an authenticated user within the GLPI system. In a real-world scenario, a malicious employee or an attacker who has gained access to a legitimate user account could potentially modify reservations, leading to resource conflicts, denial of service for legitimate users, or even financial implications depending on the nature of the reservations.

Recommendations

The primary recommendation is to update GLPI to version 10.0.19 or later. This version contains the necessary fix to address the vulnerability. If immediate upgrade is not possible, review and restrict user privileges to minimize the potential impact of unauthorized reservation alterations.

• Upgrade GLPI: Upgrade to version 10.0.19 or later.
• Review User Privileges: Restrict user privileges to the minimum necessary for their role.
• Monitor System Logs: Regularly monitor GLPI system logs for suspicious activity.

Technical Insight

The vulnerability likely stems from a lack of proper authorization checks when handling reservation requests. The system might be using a user-supplied identifier (like a user ID or reservation ID) without verifying if the user is authorized to modify the specific reservation. This allows an attacker to manipulate the request to alter reservations belonging to other users.

Credit to Researcher(s)

This vulnerability was reported via GitHub Security Advisory.

References

• GitHub Security Advisory

Tags

GLPI, CVE-2025-53357, IT Management, Security Vulnerability, Access Control, Data Integrity

Summary: CVE-2025-53357 is a medium severity vulnerability in GLPI versions 0.78 through 10.0.18, allowing authenticated users to alter reservations of other users due to improper access control. Upgrade to version 10.0.19 to resolve this issue and prevent unauthorized modifications.

CVE ID: CVE-2025-53357

Risk Analysis: Unauthorized reservation alterations can lead to resource conflicts, denial of service, and potentially financial implications.

Recommendation: Upgrade to GLPI version 10.0.19 or later to fix the vulnerability.

Timeline

• 2025-07-30: CVE Published
• 2025-07-30: Vulnerability fixed in GLPI version 10.0.19

References

• https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8