CVE-2025-65097

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-65097

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65097.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-65097

Aliases

GHSA-v7c8-f6xc-rv9g

Published

2025-12-03T19:41:33.262Z

Modified

2026-03-01T02:54:32.142763Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

Insecure Direct Object Reference (IDOR) Allows Unauthorized Deletion of User Collections

Details

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65097.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284",
        "CWE-639"
    ]
}

References

Affected packages

Git / github.com/rommapp/romm

Affected ranges

Type: GIT
Repo: https://github.com/rommapp/romm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3e675f27072c44434330d2992505e264a9ca57ca

Affected versions

3.*

3.0.0

3.0.0-rc.3

3.0.0-rc.4

3.0.0-rc.5

3.0.0-rc.6

3.0.0-rc.7

3.0.1

3.0.1-rc.1

3.0.1-rc.2

3.0.2

3.0.3

3.1.0

3.1.0-rc.1

3.1.0-rc.2

3.1.0-rc.3

3.10.0

3.10.0-alpha.1

3.10.0-alpha.2

3.10.0-beta.1

3.10.1

3.10.2

3.10.3

3.2.0

3.2.0-rc.1

3.2.0-rc.2

3.2.0-rc.3

3.2.0-rc.4

3.3.0

3.3.0-beta.1

3.3.0-beta.2

3.3.0-beta.3

3.3.0-rc.1

3.3.0-rc.2

3.4.0

3.5.0

3.5.0-alpha.1

3.5.0-beta.1

3.5.0-beta.2

3.5.1

3.6.0

3.6.0-rc.1

3.7.0

3.7.0-alpha.1

3.7.0-alpha.2

3.7.0-beta.1

3.7.0-beta.2

3.7.0-beta.3

3.7.1

3.7.2

3.7.3

3.8.0

3.8.0-alpha.1

3.8.0-alpha.2

3.8.0-alpha.4

3.8.0-alpha.5

3.8.0-alpha.6

3.8.0-alpha.7

3.8.0-alpha.8

3.8.0-beta.1

3.8.0-beta.2

3.8.0-beta.3

3.8.1

3.8.1-beta.1

3.8.2

3.8.2-alpha.1

3.8.2-alpha.2

3.8.2-beta.1

3.8.2-beta.2

3.8.3

3.9.0

3.9.0-alpha.1

3.9.0-beta.1

3.9.0-beta.2

4.*

4.0.0-alpha.1

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta.1

4.0.0-beta.2

4.0.0-beta.3

4.0.0-beta.4

4.0.0-rc.1

4.0.1

4.1.0

4.1.0-alpha.1

4.1.0-beta.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4-beta.1

4.1.4-beta.2

4.1.5

4.1.6

4.2.0

4.2.0-alpha.1

4.2.0-alpha.2

4.2.0-alpha.3

4.2.0-beta.1

4.3.0

4.3.0-alpha.1

4.3.0-alpha.2

4.3.0-alpha.3

4.3.0-beta.1

4.3.1

4.3.1-beta.1

4.3.2

4.3.2-beta.1

4.4.0

4.4.0-alpha.1

4.4.0-alpha.2

4.4.0-alpha.3

4.4.0-alpha.4

4.4.0-alpha.5

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.1-beta.1

v.*

v.2.2.0

v1.*

v1.0

v1.1

v1.10

v1.2

v1.2.2

v1.3

v1.4

v1.4.1

v1.5

v1.5.1

v1.6

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.7

v1.7.1

v1.8

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.9

v1.9.1

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.2.1

v2.3.0

v2.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65097.json"