CVE-2025-65681
Description
An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-65681 in Overhang.IO Tutor 20.0.2 allows local attackers to access sensitive user information after logout due to missing cache-control headers and improper session checks.
Vulnerability
Overview
CVE-2025-65681 affects Overhang.IO Tutor (tutor-open-edx) version 20.0.2, a Docker-based Open edX distribution [2][3]. The vulnerability stems from the absence of proper cache-control HTTP headers and inadequate client-side session checks, allowing sensitive user information to remain accessible after logout [1][1][4].
Exploitation
Details
A local unauthorized attacker with access to a victim's browser session can exploit this flaw by simply pressing the browser's back button after the victim logs out [4]. The attack requires no special privileges beyond physical or local access to the same machine and browser [1]. The lack of cache-control headers means the browser retains previously loaded pages in its history cache, while missing client-side session checks fail to invalidate the user's authenticated state [4].
Impact
Successful exploitation exposes personally identifiable information (PII) and other sensitive account details that were visible on the account settings page [4]. This information disclosure violates user privacy and compromises session integrity, as the attacker can view data without reauthentication [4].
Mitigation
As of the publication date, no patch has been announced for this vulnerability. The vendor's documentation and source code repository are available for tracking updates [2][3]. Users should consider implementing additional cache-control headers and enforcing client-side session validation on cached pages as a workaround until an official fix is released.
- NVD - CVE-2025-65681
- the Docker-based Open edX distribution designed for peace of mind — Tutor documentation
- GitHub - overhangio/tutor: The Docker-based Open edX distribution designed for peace of mind
- GitHub - Rivek619/CVE-2025-65681: An issue was discoverd in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tutorPyPI | <= 20.0.2 | — |
Affected products
2- Overhang.IO/tutor-open-edxdescription
- Range: <=20.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gq25-78jf-v78cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65681ghsaADVISORY
- docs.tutor.edly.ioghsaWEB
News mentions
0No linked articles in our index yet.