RomM: Auth Delete of Other User Collections Before 4.4.1
CVE-2025-65097 Published on December 3, 2025
Insecure Direct Object Reference (IDOR) Allows Unauthorized Deletion of User Collections
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.
Weakness Types
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-65097 has been classified to as an Authorization vulnerability or weakness.
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2025-65097 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Affected Versions
rommapp romm Version < 4.4.1-beta.2 is affected by CVE-2025-65097Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.