Skip to main content

PAVO Pay CVE-2025-4129

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-07-21 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 18:39 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.

This issue affects PAVO Pay: before 13.05.2025.

AnalysisAI

Authorization bypass in PAVO Inc. PAVO Pay (versions before 13.05.2025) allows remote unauthenticated attackers to access sensitive data by manipulating user-controlled identifiers (IDOR pattern). The flaw, mapped to CWE-639, enables exploitation of trusted identifiers without authentication and has no public exploit identified at time of analysis, with EPSS rating exploitation likelihood at 0.27%.

Technical ContextAI

PAVO Pay is a payment platform operated by Turkish provider PAVO Inc. The root cause class is CWE-639 (Authorization Bypass Through User-Controlled Key), a classic Insecure Direct Object Reference (IDOR) pattern where the application uses identifiers supplied or influenceable by the user (such as account IDs, transaction IDs, or customer references) as the sole basis for authorization checks. Because these trusted identifiers are not validated against the authenticated session's ownership scope, an attacker can substitute another user's identifier to read data belonging to that user. No CPE strings were published with this advisory, so the precise component (web portal, mobile API, merchant backend) cannot be pinpointed from NVD data alone.

Affected ProductsAI

PAVO Pay from PAVO Inc., all versions released before 13.05.2025 (13 May 2025), is affected. No CPE strings were provided in NVD data and no specific component identifier (web, mobile, merchant API) is named, so deployments should be verified directly against the vendor advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166 and https://www.usom.gov.tr/bildirim/tr-25-0166.

RemediationAI

Patch available per vendor advisory: upgrade PAVO Pay to the build released on or after 13.05.2025, as coordinated through Turkey's USOM (CERT) at https://www.usom.gov.tr/bildirim/tr-25-0166 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166 - an exact fix version string was not published, so confirm the patched build identifier directly with PAVO Inc. before deployment. As compensating controls until patched, restrict access to PAVO Pay APIs by source IP allowlist for merchant integrations (trade-off: breaks roaming merchant clients), enable WAF rules that detect rapid sequential enumeration of numeric or guessable identifier parameters (trade-off: may false-positive on legitimate batch operations), and review web/API access logs for repeated requests differing only in identifier values to detect attempted exploitation.

Share

CVE-2025-4129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy