CVE-2025-53021: Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter

June 24, 2025 (updated June 26, 2025)

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim’s session being linked to the attacker’s. Successful exploitation results in full account takeover. According to the Moodle Releases page, “Bug fixes for security issues in 3.11.x ended 11 December 2023.” NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

github.com/advisories/GHSA-cgvv-3455-824j
github.com/moodle/moodle
github.com/moodle/moodle/releases/tag/v3.11.18
moodledev.io/general/releases
nvd.nist.gov/vuln/detail/CVE-2025-53021
rentry.co/moodle-oauth2-cve

Code Behaviors & Features

Detect and mitigate CVE-2025-53021 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →