CVE-2025-62523: PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CO...

Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0

Metrics

CVSS 3.1

6.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Probability

0.19%

8.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-942

Affected Software

Vendor	Product	Versions
Thm	Pilos	< 4.8.0

References

https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8Patch
https://github.com/THM-Health/PILOS/security/advisories/GHSA-pgfw-f4mp-5445Mitigation, Vendor Advisory

Timeline

Published: Oct 27, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-62523?

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0

How severe is CVE-2025-62523?

CVE-2025-62523 has a CVSS score of 6.3/10 (MEDIUM severity). The EPSS model estimates a 0.19% probability of exploitation in the next 30 days.

How do I fix CVE-2025-62523?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.