PaperWork CVE-2025-14101
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.
This issue affects PaperWork: from 5.2.0.9427 before 6.0.
AnalysisAI
Authorization bypass in GG Soft PaperWork versions 5.2.0.9427 through 6.0 allows authenticated remote attackers to access or modify resources belonging to other users by manipulating user-controlled identifiers (IDOR). The flaw was reported through Turkey's USOM/TR-CERT, and no public exploit identified at time of analysis. With an EPSS score of 0.04% (12th percentile), opportunistic mass exploitation appears unlikely, though targeted abuse within deployed environments remains realistic.
Technical ContextAI
PaperWork is a document/workflow management product distributed by GG Soft Software Services Inc., a Turkish vendor. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as Insecure Direct Object Reference (IDOR). In this class of flaw, the application uses identifiers supplied by the client - such as record IDs in URL parameters, form fields, or API payloads - to look up server-side objects, but fails to verify that the authenticated session actually owns or is permitted to access the referenced object. The 'Exploitation of Trusted Identifiers' qualifier in the description suggests the application trusts ID values that pass session validation without performing per-object authorization checks, enabling horizontal (and potentially vertical) privilege escalation across tenants or users.
Affected ProductsAI
GG Soft Software Services Inc. PaperWork is affected from version 5.2.0.9427 up to (but not including) 6.0; upgrading to 6.0 or later is required. No CPE strings were provided in the supplied intelligence to enumerate exact build identifiers. Vendor and national-CERT advisories are published at https://www.usom.gov.tr/bildirim/tr-25-0464 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0464.
RemediationAI
Upgrade PaperWork to version 6.0 or later, which is the first release outside the affected range per the vendor coordination through USOM (TR-25-0464); patch details and vendor guidance are available at https://www.usom.gov.tr/bildirim/tr-25-0464 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0464. If immediate upgrade is not possible, compensating controls include placing the PaperWork web interface behind an authenticated reverse proxy that enforces per-user URL/path restrictions, enabling verbose application access logging to detect anomalous ID enumeration patterns (sequential or out-of-range object IDs in requests), and restricting account provisioning to trusted internal users - accepting the side effect that legitimate cross-team document sharing workflows may require manual coordination until the patched build is deployed. Review historical access logs for unusual ID iteration that may indicate prior unauthorized access.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today