On some sites it was possible to retrieve data stored in the users table such as name, contact information and hashed passwords, via a stack trace returned by an API call.
IMPORTANT NOTE: Sites where PHP is configured with zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1 in the relevant php.ini file are NOT affected by this vulnerability.
| Severity/Risk: |
Serious |
| Versions affected: |
4.5 to 4.5.2 |
| Versions fixed: |
4.5.3 |
| Reported by: |
Lucas Alonso |
| Workaround: |
Set zend.exception_ignore_args = 'On' in the php.ini file(s) used by your Moodle LMS instance, if that is not already configured. Note that this should remain configured even after the patch is applied. |
| CVE identifier: |
CVE-2025-32044 |
| Changes (main): |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84879 |
| Tracker issue: |
MDL-84879 Unauthenticated REST API user data exposure |
MSA-25-0011 Further Information
On 14th March 2025, the above-mentioned critical bug was reported in the Moodle LMS 4.5 REST API whereby, in certain situations and when an error occurs, user details may be exposed. After a prompt in-depth analysis of the report, the root cause was identified and a patch and supporting remediation instructions were quickly developed.
This issue may have exposed some sensitive user details, including name, e-mail address, hashed password, last login IP, and some metadata. Passwords in Moodle LMS are heavily salted and hashed, as well as peppered (if configured). SHA-512 hashing has been in use since Moodle LMS 4.3, and support for peppers, which further increase password security, was added in that same release.
It is important to note that only sites running Moodle LMS 4.5 (4.5.0, 4.5.1 or 4.5.2) and which do not have the zend.exception_ignore_args setting enabled, and are using the internal Moodle LMS authentication system, are affected by this vulnerability. We strongly recommend if your site may be affected, that you require a password reset for all users as a precaution, and consider setting up multi-factor authentication and password peppers if they are not already enabled.
Steps to confirm if your site is vulnerable (for site administrators)
- Check if you are running an affected version (4.5.x):
- Log in as admin and navigate to Site administration > General > Notifications.
- Check the current version at the bottom of the page. If you are running Moodle LMS versions 4.5.0, 4.5.1, or 4.5.2, your site may be vulnerable. Other versions are not affected.
- Check if PHP has
zend.exception_ignore_args is disabled:
- Log in as admin and navigate to Site administration > Server > PHP Info.
- Search for
zend.exception_ignore_args.
- If the value is off, you are susceptible to the issue. If it is on (set to 'On' or 1), you are not susceptible.
- If you are not able to access the PHP Info screen, on your webserver you will need to check if your php.ini configuration contains:
zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1. If neither of those are included, you are susceptible.
Steps if your site is affected
- Immediately configure
zend.exception_ignore_args = 'On' in your PHP configuration. This should remain on even after the patch is applied.
- Apply the patch as soon as you are able to.
- Consider forcing all users to change their passwords, which can be achieved via the force password change option in Bulk user actions.
- If you wish, also enable Multi-Factor Authentication and password peppers.
(Updated 3 April 2025 to add the CVE identifier.)