CVE-2025-65096

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-65096

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65096.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-65096

Aliases

GHSA-5ghc-8wr3-788c

Published

2025-12-03T19:39:53.722Z

Modified

2025-12-05T10:28:38.125460Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections

Details

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Database specific

{
    "cwe_ids": [
        "CWE-284",
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65096.json"
}

References

Affected packages

Git / github.com/rommapp/romm

Affected ranges

Type

GIT

Repo

https://github.com/rommapp/romm

Events

Introduced

Fixed

3e675f27072c44434330d2992505e264a9ca57ca

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.4.1-beta.2"
        }
    ]
}

Affected versions

3.*

3.0.0

3.0.0-rc.3

3.0.0-rc.4

3.0.0-rc.5

3.0.0-rc.6

3.0.0-rc.7

3.0.1

3.0.1-rc.1

3.0.1-rc.2

3.0.2

3.0.3

3.1.0

3.1.0-rc.1

3.1.0-rc.2

3.1.0-rc.3

3.10.0

3.10.0-alpha.1

3.10.0-alpha.2

3.10.0-beta.1

3.10.1

3.10.2

3.10.3

3.2.0

3.2.0-rc.1

3.2.0-rc.2

3.2.0-rc.3

3.2.0-rc.4

3.3.0

3.3.0-beta.1

3.3.0-beta.2

3.3.0-beta.3

3.3.0-rc.1

3.3.0-rc.2

3.4.0

3.5.0

3.5.0-alpha.1

3.5.0-beta.1

3.5.0-beta.2

3.5.1

3.6.0

3.6.0-rc.1

3.7.0

3.7.0-alpha.1

3.7.0-alpha.2

3.7.0-beta.1

3.7.0-beta.2

3.7.0-beta.3

3.7.1

3.7.2

3.7.3

3.8.0

3.8.0-alpha.1

3.8.0-alpha.2

3.8.0-alpha.4

3.8.0-alpha.5

3.8.0-alpha.6

3.8.0-alpha.7

3.8.0-alpha.8

3.8.0-beta.1

3.8.0-beta.2

3.8.0-beta.3

3.8.1

3.8.1-beta.1

3.8.2

3.8.2-alpha.1

3.8.2-alpha.2

3.8.2-beta.1

3.8.2-beta.2

3.8.3

3.9.0

3.9.0-alpha.1

3.9.0-beta.1

3.9.0-beta.2

4.*

4.0.0-alpha.1

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta.1

4.0.0-beta.2

4.0.0-beta.3

4.0.0-beta.4

4.0.0-rc.1

4.0.1

4.1.0

4.1.0-alpha.1

4.1.0-beta.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4-beta.1

4.1.4-beta.2

4.1.5

4.1.6

4.2.0

4.2.0-alpha.1

4.2.0-alpha.2

4.2.0-alpha.3

4.2.0-beta.1

4.3.0

4.3.0-alpha.1

4.3.0-alpha.2

4.3.0-alpha.3

4.3.0-beta.1

4.3.1

4.3.1-beta.1

4.3.2

4.3.2-beta.1

4.4.0

4.4.0-alpha.1

4.4.0-alpha.2

4.4.0-alpha.3

4.4.0-alpha.4

4.4.0-alpha.5

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.1-beta.1

v.*

v.2.2.0

v1.*

v1.0

v1.1

v1.10

v1.2

v1.2.2

v1.3

v1.4

v1.4.1

v1.5

v1.5.1

v1.6

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.7

v1.7.1

v1.8

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.9

v1.9.1

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.2.1

v2.3.0

v2.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65096.json"