Critical IDOR Flaw in CareFlow EHR Exposes Patient Records (CVE-2025-24970)

August 12, 2025
Scott Wu

A critical Broken Access Control vulnerability has been discovered in the CareFlow Electronic Health Record (EHR) platform. This flaw, tracked as CVE-2025-24970 and nicknamed “Patient Zero,” allows any authenticated user to access the sensitive health records of any patient in the system. It carries a CVSS score of 8.8 (High) and represents a major data privacy risk.

TL;DR:

  • What: A critical Insecure Direct Object Reference (IDOR) vulnerability.
  • Affected Software: CareFlow EHR versions 4.1.0 through 5.0.2.
  • Impact: Any authenticated user (including a patient with portal access) can read and potentially modify the Protected Health Information (PHI) of all other patients.
  • Action: Update to version 5.0.3 or newer immediately. A full audit of access logs is strongly recommended.

What is CareFlow EHR?

CareFlow EHR is a widely adopted, open-source Electronic Health Record platform used by hospitals, clinics, and healthcare providers to manage patient data, from medical histories and lab results to billing information.

The “Patient Zero” Vulnerability Explained

The vulnerability is a classic Insecure Direct Object Reference (IDOR). This type of flaw occurs when a server uses an identifier for a piece of data (like a patient ID) but fails to check if the user making the request is actually authorized to access that specific piece of data.

Think of it like a mailroom where your key opens not just your own post office box, but any box you know the number for.

In CareFlow EHR, the API endpoint for retrieving patient records uses a predictable, sequential patient ID.

  • Vulnerable Endpoint: /api/v2/patients/{patient_id}/records

The Attack Scenario:

  1. A low-privileged user, such as a patient, logs into their own patient portal. Their browser makes a legitimate request to view their records, for example: GET /api/v2/patients/1138/records.
  2. The attacker simply modifies the patient_id in the URL to another number, for example: GET /api/v2/patients/1139/records.
  3. The server’s flawed access control fails to verify that the logged-in user is associated with patient 1139. It blindly retrieves the other patient’s complete health record and sends it to the attacker.
  4. The attacker can automate this process to download the records of every patient in the database.

Impact and Remediation

The impact of this vulnerability cannot be overstated, especially in a healthcare context.

  • Massive PHI Breach: Attackers can exfiltrate highly sensitive and personal medical information, leading to identity theft, blackmail, or public disclosure.
  • Regulatory Fines and Lawsuits: A breach of this nature would be a major violation of regulations like HIPAA, resulting in severe financial penalties.
  • Patient Safety Risks: If the same flaw extends to data modification, an attacker could alter a patient’s allergies, medications, or diagnoses, putting their life at risk.
  • Reputational Damage: The loss of patient trust can be catastrophic for a healthcare provider.

Are you affected? You are vulnerable if your institution uses CareFlow EHR versions 4.1.0 through 5.0.2.

How to Fix It: The CareFlow EHR development team has issued an emergency patch that properly enforces authorization checks on every API request.

  1. Update Immediately: Your top priority is to update your CareFlow EHR instance to version 5.0.3 or newer.
  2. Audit Access Logs: You must conduct a thorough audit of your API access logs. Look for any user account that has accessed an unusually high number of unique patient_ids. This could be a sign of active exploitation.
  3. Notify and Review: Depending on your jurisdiction and findings from the audit, you may be legally required to notify affected individuals and regulatory bodies.

Resources and Citations

This vulnerability was responsibly disclosed by a security researcher to the Health Information Sharing and Analysis Center (Health-ISAC).

  • Official CareFlow EHR Website: https://www.careflow-ehr.org
  • Official GitHub Repository: https://github.com/CareFlow/EHR
  • Official Security Advisory: https://github.com/CareFlow/EHR/security/advisories/GHSA-fictional-idor-2497
  • NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24970
  • Health-ISAC Publication: https://healthisac.org/blog/idor-vulnerability-in-careflow-ehr-cve-2025-24970/
  • General