CVE-2025-64707
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | From 2.0.0 (inc) to 2.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Frappe Learning versions from 2.0.0 up to but not including 2.41.0 occurs because when an admin revokes a role from a user, the change does not take effect immediately due to caching. The cache was not cleared after role updates, causing a delay in the revocation's effect. This issue was fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing users to retain permissions or roles temporarily even after an admin has revoked them, due to caching delays. This means that access control changes are not enforced immediately, potentially allowing unauthorized access or actions during the caching period.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Frappe Learning to version 2.41.0 or later, as this version includes a fix that ensures the cache is cleared immediately after roles are updated, preventing the delay in role revocation effects.