CVE-2025-62401: 
PHP vulnerability analysis and mitigation

CVE-2025-62401 is a security vulnerability discovered in Moodle's timed assignment feature that was disclosed on October 23, 2025. The vulnerability affects multiple versions of Moodle, including versions 5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20, and earlier unsupported versions (Miggo, Redhat Bugzilla).

The vulnerability is classified as CWE-285 (Improper Authorization) with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The root cause analysis reveals that the timer would start automatically upon visiting the submission page, rather than when students explicitly chose to begin. The vulnerability exists in the getusersubmission and getgroupsubmission functions within public/mod/assign/locallib.php (Miggo).

The vulnerability allows students to bypass time restrictions in timed assignments, potentially giving them more time than allowed to complete assessments. This could result in unfair assessment conditions and compromise the integrity of educational evaluations (Redhat Bugzilla).

The vulnerability has been patched in Moodle versions 5.0.3, 4.5.7, 4.4.11, and 4.1.21. The fix introduces an explicit confirmation step requiring a 'begin=1' URL parameter to start the timer, and updates the modassign\output\usersubmissionactionmenu::exportfor_template function to add this parameter to the 'Begin assignment' button (Miggo).