CVE-2025-62158
📋 TL;DR
Frappe Learning versions before 2.38.0 stored student-uploaded assignment attachments as public files, allowing anyone with the file URL to access them without authentication. This exposes potentially sensitive student data to unauthorized access. All users of Frappe Learning versions prior to 2.38.0 are affected.
💻 Affected Systems
- Frappe Learning (LMS)
📦 What is this software?
Learning by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Mass exposure of sensitive student data including personal documents, confidential assignments, or proprietary information to the public internet.
Likely Case
Unauthorized access to student-submitted files containing personal information, academic work, or other sensitive content.
If Mitigated
Limited exposure if files contain only non-sensitive content or if access patterns are monitored and blocked.
🎯 Exploit Status
Exploitation requires knowledge of file URLs but no authentication or special tools. Attackers could potentially enumerate or guess file URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.38.0
Vendor Advisory: https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5
Restart Required: No
Instructions:
1. Update Frappe Learning to version 2.38.0 or later. 2. Verify that student-uploaded files are now stored as private files. 3. Review existing student files to ensure they are properly secured.
🔧 Temporary Workarounds
Manual File Access Restriction
allManually configure file storage to use private access for student-uploaded files
Web Server Access Controls
allImplement web server rules to restrict access to student file directories
🧯 If You Can't Patch
- Implement strict access controls on the file storage directory at the operating system level
- Deploy a web application firewall (WAF) to block unauthorized access to student file URLs
🔍 How to Verify
Check if Vulnerable:
Check if student-uploaded assignment files are accessible without authentication by testing file URLsCheck Version:
Check Frappe Learning version in system settings or via administrative interfaceVerify Fix Applied:
Verify that student-uploaded files now require authentication and return appropriate access denied responses📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to student file URLs
- Unusual download patterns from student file directories
Network Indicators:
- Direct file downloads without preceding authentication requests
- External IPs accessing student file paths
SIEM Query:
sourceIP NOT IN internal_networks AND url CONTAINS '/files/student_assignments/' AND response_code=200