-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tutor | pip | <= 20.0.2 |
Miggo AIRoot Cause AnalysisThe vulnerability, CVE-2025-65681, describes an information disclosure flaw in Overhang.IO Tutor due to improper cache control. The analysis of the overhangio/tutor repository reveals that it uses Caddy as a reverse proxy, configured via the tutor/templates/apps/caddy/Caddyfile template. This configuration file defines how HTTP requests are handled and forwarded to backend services, including the Open edX LMS (Learning Management System), where sensitive user data is managed.
The core of the vulnerability lies in the Caddy configuration block that handles requests for the LMS. This block, identified by {{ LMS_HOST }}, proxies requests to the lms:8000 service but fails to add any Cache-Control HTTP headers to the responses. Without these headers (e.g., Cache-Control: no-store), web browsers are free to cache the content of sensitive pages, such as user profiles or account settings. As the vulnerability description states, this allows an attacker with local access to a user's machine to simply use the browser's back button to view cached pages containing personally identifiable information (PII), even after the user has logged out.
The advisory indicates that there is no patched version available, which is consistent with the finding that the current Caddyfile in the repository is still missing the necessary security headers. The vulnerable component is therefore the Caddy configuration for the LMS proxy, which I have represented as caddy.handle_lms_request to fit the required output format.
caddy.handle_lms_requesttutor/templates/apps/caddy/Caddyfile
Ongoing coverage of React2Shell