CVE-2025-47942
📋 TL;DR
The Open edX Platform allows unauthorized users to download python_lib.zip files from courses, which may contain custom grading code or answers to course problems. This affects any Open edX deployment using custom Python-graded problem blocks without proper access controls. Course creators and administrators are primarily impacted by potential intellectual property leakage.
💻 Affected Systems
- Open edX Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers download sensitive course materials including answer keys, custom grading logic, and proprietary educational content, leading to academic integrity violations and intellectual property theft.
Likely Case
Students or unauthorized users access python_lib.zip files containing problem solutions, compromising course integrity and enabling cheating.
If Mitigated
Only authorized course team members and site administrators can access python_lib.zip files, maintaining course security and intellectual property protection.
🎯 Exploit Status
Exploitation requires access to course URLs but no special privileges. The vulnerability is straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba
Vendor Advisory: https://github.com/openedx/edx-platform/security/advisories/GHSA-x5cm-2hpq-pw57
Restart Required: Yes
Instructions:
1. Update Open edX Platform to include commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba. 2. Restart the edxapp service. 3. Verify python_lib.zip files are only accessible to course team and site staff.
🔧 Temporary Workarounds
NGINX Access Restriction
linuxImplement NGINX rules to block unauthorized access to python_lib.zip files
# Add to NGINX configuration:
location ~* /static/.*\.zip$ {
deny all;
# Or restrict to specific IPs/users
}
🧯 If You Can't Patch
- Implement network-level access controls to restrict python_lib.zip downloads to authorized users only.
- Monitor and audit access to python_lib.zip files in web server logs for unauthorized attempts.
🔍 How to Verify
Check if Vulnerable:
Attempt to access a python_lib.zip file from a course as a non-staff user. If downloadable, the system is vulnerable.Check Version:
git log --oneline | grep -i '6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba'Verify Fix Applied:
Verify python_lib.zip files return 403 Forbidden or similar error for non-authorized users after patch application.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses for python_lib.zip requests from unauthorized IPs/users
- Unusual download patterns of .zip files from /static/ paths
Network Indicators:
- GET requests to URLs containing 'python_lib.zip' from non-staff users
SIEM Query:
source="web_server_logs" AND uri="*python_lib.zip" AND status=200 AND user NOT IN (authorized_users)🔗 References
- https://github.com/edx/configuration/blob/3471fc036a6664cedd3e2d78403dca73bc1cda51/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/python_lib.zip.j2
- https://github.com/openedx/edx-platform/commit/6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba
- https://github.com/openedx/edx-platform/security/advisories/GHSA-x5cm-2hpq-pw57
