Moodle: moodle: remote code execution via insufficient restore input validation
Description
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-67847 is a flaw in Moodle where insufficient validation in the restore interface allows authenticated attackers to achieve arbitrary code execution and full application compromise.
Summary
The vulnerability CVE-2025-67847 affects the Moodle open-source learning platform. An attacker with access to the restore interface can trigger server-side execution of arbitrary code due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines [1][2].
Root
Cause The core restore routines in Moodle fail to properly validate input supplied through the restore interface. This allows an attacker to inject malicious data that is then interpreted as executable code by the server-side restore process. The flaw lies in the lack of sanitization or verification of restore data before it is processed [2].
Exploitation and
Impact To exploit the vulnerability, an attacker needs to have access to the restore interface, which typically requires an authenticated user with appropriate roles (such as a teacher or admin). No further user interaction is required beyond uploading a specially crafted restore file. Successful exploitation can lead to full compromise of the Moodle application, including the ability to execute arbitrary commands on the server, access sensitive data, and potentially pivot to other systems [1][2].
Mitigation
As of publication, no specific patch version has been announced. Users are advised to monitor official Moodle channels and apply updates as soon as they become available. Restrict access to the restore interface to trusted users as a temporary mitigation [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 4.2.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xvmh-25jw-gmmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67847ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67847ghsavdb-entryx_refsource_REDHATWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.