Improper Authentication in pwn.college DOJO Education Platform
CVE-2025-62376

9.5CRITICAL

Key Information:

Vendor: Pwncollege
Status: Dojo
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-62376?

The pwn.college DOJO platform has a vulnerability in its /workspace endpoint that allows unauthorized access to active Windows VMs. This flaw arises from the view_desktop function, which inadequately verifies user authorization. An attacker can exploit this by providing a user ID and an arbitrary password, thereby impersonating other users. This compromises the confidentiality and integrity of all data on affected Windows machines and the Linux home directories, as attackers can manipulate these resources freely. The vulnerability has been addressed in the latest commit, and no workarounds are available.

Affected Version(s)

dojo < 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef

References

https://github.com/pwncollege/dojo/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pwncollege/dojo/commit/467db0b9ea0d9a9...

x_refsource_MISC

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Oct 10, 2025

JSON

Pwncollege

What is CVE-2025-62376?

Affected Version(s)

References

CVSS V4

Timeline