CVE-2025-53357: 
GLPI vulnerability analysis and mitigation

CVE-2025-53357 affects GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking, and software auditing. The vulnerability was discovered and disclosed on July 29, 2025, affecting versions 0.78 through 10.0.18. This security issue allows connected users to modify reservations belonging to other users without proper authorization (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and can impact both confidentiality and integrity at a low level, with no impact on availability. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where the system's authorization functionality fails to prevent users from accessing other users' data by modifying key values (GitHub Advisory).

The vulnerability allows authenticated users to bypass authorization controls and modify reservation data belonging to other users. This unauthorized access compromises the integrity of the reservation system and potentially exposes confidential reservation information (GitHub Advisory).

The vulnerability has been fixed in GLPI version 10.0.19. Users are advised to upgrade to this patched version to protect against unauthorized reservation modifications. No alternative workarounds have been provided (GitHub Advisory).