Support > KnowledgeBase > KB91325
KB91325
Published: November 19, 2025
Revision: 1.0

Privilege escalation vulnerability in groov View REST APIs may expose API keys of groov View admin users

Applies To:

groov View running on the following groov EPICs:

  • GRV-EPIC-PR1
  • GRV-EPIC-PR2
groov View running on the following groov Server for Windows:
  • GROOV-SVR-WIN
  • GROOV-SVR-WIN-BASE
  • GROOV-SVR-WIN-SNAP
groov View running on the following groov products (please note that Opto 22 no longer ships updates for these products):
  • GROOV-AR1, GROOV-AR1-BASE, GROOV-AR1-SNAP
  • GROOV-AT1, GROOV-AT1-SNAP

Versions Affected:

For groov EPICS: All versions prior to 4.0.3
For groov Server for Windows: 3.3a to 4.5d

Resolved In Version:

For groov EPICS: 4.0.3
For groov Server for Windows: 4.5e

Symptoms:

A privilege escalation vulnerability in the groov View REST API may expose the API keys of the following types of users to users with groov View Editor permission/privilege:

  • For groov EPICs: System-Wide Administrators, groov Manage users
  • For groov Server for Windows and other groov products: groov View Admin

This vulnerability is described in ​CVE-2025-13084.

Resolution:

Opto 22 has resolved this issue. We recommend that users install the updates to the above-listed products, regardless of whether you're using groov View REST APIs.

Questions?

Contact: Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com

DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.

Copyright © 2025 Opto 22. All rights reserved.