Cyber Resilience

CVE-2025-55006

Medium

Published: 09 August 2025

Published
09 August 2025
Modified
06 October 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0034 57.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55006 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Frappe Learning. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-55006 is an improper input validation vulnerability (CWE-20) in Frappe Learning, a learning management system for structuring content. It affects versions 2.33.0 and below, specifically in the image upload functionality, which fails to adequately sanitize uploaded SVG files. This allows attackers to upload SVGs containing embedded JavaScript or other malicious content.

The vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L). Exploitation requires an authenticated attacker with high privileges to upload a malicious SVG via the image upload feature. When other users view or interact with the uploaded image, the embedded scripts execute in the victim's browser context, enabling arbitrary script execution such as cross-site scripting (XSS).

The GitHub security advisory (GHSA-mvxw-r9x4-3vrr) documents the issue. Mitigation involves upgrading to version 2.34.0, where a fix is planned.

EU & UK References

Vulnerability details

Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other…

more

potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1027.017 SVG Smuggling Stealth
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.
Why these techniques?

Vulnerability in public-facing LMS image upload enables direct exploitation (T1190) and delivery/execution of JS payloads via unsanitized SVGs (T1059.007, T1027.017).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30213Same vendor: Frappe
CVE-2025-65267Same vendor: Frappe
CVE-2026-28436Same vendor: Frappe
CVE-2025-67289Same vendor: Frappe
CVE-2026-35614Same vendor: Frappe
CVE-2025-30212Same vendor: Frappe
CVE-2026-44446Same vendor: Frappe
CVE-2026-39351Same vendor: Frappe
CVE-2026-44447Same vendor: Frappe
CVE-2025-68929Same vendor: Frappe

Affected Assets

frappe
learning
2.0.0 — 2.34.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input, including uploaded SVG files, to block embedded scripts before storage or rendering.

preventdetect

Mandates mechanisms to detect and block malicious code (e.g., embedded JavaScript) within user-uploaded content such as SVGs.

prevent

Requires filtering of information outputs to remove or neutralize active content such as scripts before delivery to other users' browsers.

References