HackTesting

CVE-2025-13084

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.

Credits

Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to CISA.

References

https://www.opto22.com/support/resources-tools/knowledgebase/kb91325
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json