CVE-2025-59415 – Frappe Learning versions 2.34.1 and below conta... (How to Fix)

Q: What is the severity of CVE-2025-59415?

CVE-2025-59415 has a CVSS score of 4.6 (MEDIUM). Frappe Learning versions 2.34.1 and below contain a cross-site scripting (XSS) vulnerability in profile bio content. Malicious SVG files uploaded to user profiles can execute arbitrary scripts in other users' browsers when viewed. This affects all users of vulnerable Frappe Learning instances.

📋 TL;DR

Frappe Learning versions 2.34.1 and below contain a cross-site scripting (XSS) vulnerability in profile bio content. Malicious SVG files uploaded to user profiles can execute arbitrary scripts in other users' browsers when viewed. This affects all users of vulnerable Frappe Learning instances.

💻 Affected Systems

Products:

Frappe Learning (LMS)

Versions: 2.34.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with user profile functionality are vulnerable. The vulnerability exists in the bio content sanitization logic.

📦 What is this software?

Learning by Frappe

View all CVEs affecting Learning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through stored XSS.

🟠

Likely Case

Attackers upload malicious SVG files to their profiles, which execute JavaScript in other users' browsers when viewing those profiles, potentially stealing session data.

🟢

If Mitigated

With proper input sanitization and Content Security Policy, script execution would be blocked, limiting impact to benign SVG rendering issues.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires an attacker to have an account to upload malicious SVG content, but no special privileges are needed. Victims must view the attacker's profile.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.34.2 or later

Vendor Advisory: https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx

Restart Required: No

Instructions:

1. Update Frappe Learning to version 2.34.2 or later. 2. Apply the commit ed162e254690772365d4d1365f176b59bc4db72d if manual patching is needed. 3. No service restart required after update.

🔧 Temporary Workarounds

Disable SVG uploads in profile bios

all

Configure the system to block SVG file uploads in user profile bio fields.

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from SVG files.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement strict Content Security Policy headers to block inline script execution.
Monitor and audit user profile content for suspicious SVG uploads.

🔍 How to Verify

Check if Vulnerable:

Check if Frappe Learning version is 2.34.1 or below. Review if SVG files in profile bios are properly sanitized.

Check Version:

Check Frappe Learning version in system settings or via 'bench version' command if using Frappe Bench.

Verify Fix Applied:

Verify installation is version 2.34.2 or later. Test by uploading an SVG with script tags to profile bio - it should be sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads to user profiles
Multiple profile view requests from single IP

Network Indicators:

Outbound connections to suspicious domains from user browsers after viewing profiles

SIEM Query:

source="frappe-logs" AND (event="profile_upload" AND file_type="svg")

📊 Metadata

CVE ID: CVE-2025-59415

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.02% exploit probability (5.8th percentile)

Published: September 17, 2025

Last Updated: October 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59415, you might also want to check these: