CVE-2025-32044 — Moodle: unauthenticated rest api user data exposure

Description

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.

How to fix CVE-2025-32044

To remediate CVE-2025-32044, upgrade the affected package to a fixed version below.

—upgrade to 4.5.3 or later
—upgrade to 4.5.3 or later

Is CVE-2025-32044 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 4.5.0, < 4.5.3
>= 4.5.0-beta, < 4.5.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-32044
PATCHgithub.com/moodle/moodle
WEBaccess.redhat.com/security/cve/CVE-2025-32044
WEBbugzilla.redhat.com/show_bug.cgi?id=2356829
WEB