CVE-2025-53105: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing, was found to contain a privilege management vulnerability. The issue affects versions 10.0.0 to before 10.0.19, where a connected user without administration rights could change the rules execution order. This vulnerability was discovered in August 2025 and was assigned CVE-2025-53105 (NVD).

The vulnerability has been assessed with a CVSS v3.1 base score of 7.5 (High severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The scoring indicates that the vulnerability is exploitable over the network (AV:N), requires high attack complexity (AC:H), needs low privileges (PR:L), requires no user interaction (UI:N), has unchanged scope (S:U), and can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) (GitHub Advisory).

The vulnerability allows unauthorized users to modify the rules execution order in GLPI, potentially leading to significant security implications. With high impact ratings across confidentiality, integrity, and availability, successful exploitation could result in unauthorized access to sensitive information, modification of system configurations, and potential service disruptions (GitHub Advisory).

The vulnerability has been patched in GLPI version 10.0.19. Organizations using affected versions (10.0.0 to before 10.0.19) are strongly recommended to upgrade to version 10.0.19 to address this security issue (GitHub Release).

The release of version 10.0.19 was marked as a security release, with the vendor explicitly recommending the upgrade. The vulnerability was one of several security issues addressed in this release, indicating a comprehensive security update (GitHub Release).