CVE-2025-64705
📋 TL;DR
CVE-2025-64705 is an information disclosure vulnerability in Frappe Learning Management System (LMS) that allows authenticated users to access other students' submissions. This affects all users of Frappe LMS versions 2.0.0 through 2.40.0. The vulnerability stems from improper access controls that fail to restrict users to their own data.
💻 Affected Systems
- Frappe Learning Management System (LMS)
📦 What is this software?
Learning by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach where all student submissions (including potentially sensitive information) become accessible to any authenticated user, leading to academic integrity violations and privacy violations.
Likely Case
Unauthorized viewing of other students' work, potentially enabling academic dishonesty through copying or gaining unfair advantages in assessments.
If Mitigated
Limited exposure if only a few users discover the vulnerability, but still represents a breach of academic privacy and trust.
🎯 Exploit Status
Exploitation requires authenticated student access and knowledge of direct URL patterns or enumeration techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.41.0
Vendor Advisory: https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8
Restart Required: No
Instructions:
1. Backup your Frappe LMS installation and database. 2. Update Frappe LMS to version 2.41.0 or later using your deployment method (bench update for Frappe installations). 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Access Control Review
allManually review and tighten role-based access controls for submission viewing endpoints
🧯 If You Can't Patch
- Implement network segmentation to isolate the LMS from other sensitive systems
- Enable detailed audit logging for all submission access attempts and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if your Frappe LMS version is between 2.0.0 and 2.40.0 inclusive. Test by having two student accounts attempt to access each other's submission URLs.Check Version:
For Frappe installations: bench version | grep lmsVerify Fix Applied:
After updating to 2.41.0+, test that student accounts can only access their own submissions and receive proper redirects/errors when attempting to access others' submissions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed access attempts to submission endpoints from same user
- Unusual patterns of submission viewing across different student IDs
Network Indicators:
- Unusual HTTP request patterns to submission API endpoints with different student IDs
SIEM Query:
source="frappe-lms" AND (url_path="/api/method/lms.lms.doctype.lms_submission.lms_submission" OR url_path LIKE "%/submission/%") AND user_id!=submission_owner_id