CVE-2025-62398: Moodle does not properly enforce MFA
5.3
Basic Information
PHPTechnical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 5.0.0-beta, < 5.0.3 | 5.0.3 |
| moodle/moodle | composer | >= 4.5.0-beta, < 4.5.7 | 4.5.7 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.11 | 4.4.11 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The analysis of the provided patches indicates that the core of the vulnerability lies within the tool_mfa\manager::should_require_mfa function in public/admin/tool/mfa/classes/manager.php. The security flaw is a result of improper handling of AJAX and Web Service requests during the multi-factor authentication process.
The commit a2078f781ae065ca1f781bd159c7615c84afcaa5 is the primary fix. It removes a conditional check that allowed AJAX and WS requests to proceed without completing MFA if a session was marked as mfa_pending. This created a race condition that could be exploited to bypass MFA. By removing this condition and always returning REDIRECT_EXCEPTION, the patch ensures that these types of requests cannot be used to circumvent MFA.
The commit 67005f8b2098096f4c7ca4f78ab9ce69415d703b refactors the logic within the same function to improve the order of checks. While not the direct fix for the bypass, it contributes to hardening the MFA process by ensuring that various exit conditions (like an admin setup being pending) are checked earlier. This reduces the complexity and potential for other logic errors.
Therefore, the function tool_mfa\manager::should_require_mfa is the key vulnerable function. During an exploit, this function would be called, and its flawed logic would incorrectly grant access, making it the central point of failure and the most critical indicator in a runtime profile.
Vulnerable functions
tool_mfa\manager::should_require_mfapublic/admin/tool/mfa/classes/manager.php