CVE-2025-66911

Published: Dec 19, 2025

Modified: Dec 19, 2025

PUBLISHED

Description

Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/turms-im/turms

https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-66911

Description

Affected Products

References