Moderate severityOSV Advisory· Published Oct 23, 2025· Updated Oct 23, 2025

Moodle: router (r.php) could expose application directories

CVE-2025-62396

Description

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moodle's router error handling could expose internal directory listings to unauthenticated users due to improper HTTP header configuration.

Vulnerability

Overview CVE-2025-62396 describes an error-handling flaw in Moodle's router component (r.php). When specific HTTP headers are not properly configured, the application may inadvertently display internal directory listings instead of returning a proper error response [1][2]. The root cause lies in how the router handles exceptions during request validation; prior to the fix, detailed error payloads including stack traces and error codes were returned to all users.

Exploitation

An attacker can trigger this vulnerability by sending crafted HTTP requests with missing or malformed headers to the Moodle router endpoint. No authentication is required, as the issue occurs before any access control checks are applied. The attack surface is network-accessible, making it exploitable remotely.

Impact

Successful exploitation leads to information disclosure, revealing internal directory structures and potentially other sensitive system details. This could aid an attacker in mapping the application's file layout and identifying further attack vectors.

Mitigation

The Moodle project has addressed this issue in commit 5e7d5abc483d0511ebfc2042075eabcc392ff4ce [4]. The fix modifies the error handling to hide detailed payload data for non-admin users, throwing a generic "page not found" exception instead. Administrators are advised to update to the latest patched version. Red Hat has also acknowledged the vulnerability [1].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	>= 5.0.0-beta, < 5.0.3	5.0.3
moodle/moodlePackagist	>= 4.5.0-beta, < 4.5.7	4.5.7

Affected products

Moodle/MoodleOSV2 versions
v4.5.0, v4.5.1, v4.5.2, …+ 1 more
- (no CPE)range: v4.5.0, v4.5.1, v4.5.2, …
- (no CPE)

Patches

5e7d5abc483d

MDL-86335 router: Hide detailed payload data for non-admins

https://github.com/moodle/moodleDavid WoloszynSep 29, 2025via ghsa

commit

1 file changed · +9 −1

public/lib/classes/router/middleware/validation_middleware.php+9 −1 modified

@@ -53,10 +53,18 @@ public function __construct(
 
     #[\Override]
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface {
+        global $USER;
+
         try {
             $request = $this->requestvalidator->validate_request($request);
         } catch (\Exception $e) {
-            return $this->responsehandler->get_response_from_exception($request, $e);
+            $response = $this->responsehandler->get_response_from_exception($request, $e);
+            // Throw 'page not found' exception for non-admins.
+            // This hides stacktrace and errorcodes in detailed payload responses.
+            if (!is_siteadmin($USER->id) && $response->getStatusCode() == 404) {
+                return \core\router\util::throw_page_not_found($request, $response, $response->getReasonPhrase());
+            }
+            return $response;
         }
 
         $response = $handler->handle($request);

5d4910509eea

MDL-86494 router: Display error details only when debugging is on

https://github.com/moodle/moodleDavid WoloszynSep 23, 2025via ghsa

commit

1 file changed · +4 −1

public/lib/classes/router.php+4 −1 modified

@@ -198,11 +198,14 @@ protected function add_middleware(): void {
      * Add the Error Handling Middleware to the RouteGroup.
      */
     protected function add_error_handler_middleware(): void {
+        global $CFG;
+        // Display error details only when debugging is on.
+        $displayerrordetails = !empty($CFG->debugdisplay);
         // Add the Error Handling Middleware and configure it to show Moodle Errors for HTML pages.
         $errormiddleware = new ErrorMiddleware(
             $this->app->getCallableResolver(),
             $this->app->getResponseFactory(),
-            displayErrorDetails: true,
+            displayErrorDetails: $displayerrordetails,
             logErrors: true,
             logErrorDetails: true,
         );

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c5cj-xp43-qcc3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62396ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-62396ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/moodle/moodle/commit/5d4910509eeaac8403d18ec8f259e29d2f11527eghsaWEB
github.com/moodle/moodle/commit/5e7d5abc483d0511ebfc2042075eabcc392ff4ceghsaWEB
moodle.org/mod/forum/discuss.phpghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000