PAVO Pay CVE-2025-4129
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.
This issue affects PAVO Pay: before 13.05.2025.
AnalysisAI
Authorization bypass in PAVO Inc. PAVO Pay (versions before 13.05.2025) allows remote unauthenticated attackers to access sensitive data by manipulating user-controlled identifiers (IDOR pattern). The flaw, mapped to CWE-639, enables exploitation of trusted identifiers without authentication and has no public exploit identified at time of analysis, with EPSS rating exploitation likelihood at 0.27%.
Technical ContextAI
PAVO Pay is a payment platform operated by Turkish provider PAVO Inc. The root cause class is CWE-639 (Authorization Bypass Through User-Controlled Key), a classic Insecure Direct Object Reference (IDOR) pattern where the application uses identifiers supplied or influenceable by the user (such as account IDs, transaction IDs, or customer references) as the sole basis for authorization checks. Because these trusted identifiers are not validated against the authenticated session's ownership scope, an attacker can substitute another user's identifier to read data belonging to that user. No CPE strings were published with this advisory, so the precise component (web portal, mobile API, merchant backend) cannot be pinpointed from NVD data alone.
Affected ProductsAI
PAVO Pay from PAVO Inc., all versions released before 13.05.2025 (13 May 2025), is affected. No CPE strings were provided in NVD data and no specific component identifier (web, mobile, merchant API) is named, so deployments should be verified directly against the vendor advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166 and https://www.usom.gov.tr/bildirim/tr-25-0166.
RemediationAI
Patch available per vendor advisory: upgrade PAVO Pay to the build released on or after 13.05.2025, as coordinated through Turkey's USOM (CERT) at https://www.usom.gov.tr/bildirim/tr-25-0166 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166 - an exact fix version string was not published, so confirm the patched build identifier directly with PAVO Inc. before deployment. As compensating controls until patched, restrict access to PAVO Pay APIs by source IP allowlist for merchant integrations (trade-off: breaks roaming merchant clients), enable WAF rules that detect rapid sequential enumeration of numeric or guessable identifier parameters (trade-off: may false-positive on legitimate batch operations), and review web/API access logs for repeated requests differing only in identifier values to detect attempted exploitation.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today