CVE-2025-62158: 
NixOS vulnerability analysis and mitigation

CVE-2025-62158 affects Frappe Learning, a learning management system, in versions prior to 2.38.0. The vulnerability was discovered on October 10, 2025, and involves student-uploaded attachments in assignments being stored as public files, making them accessible to anyone with the file URL without requiring authentication (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Additionally, it has a CVSS v4.0 score of 2.7 (LOW) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is categorized as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (NVD).

The vulnerability allowed unauthorized access to student-uploaded assignment files. Any individual with knowledge of the file URL could access these files without authentication, potentially exposing sensitive student information (GitHub Advisory).

The vulnerability has been patched in version 2.38.0 of Frappe Learning. The fix ensures that all student-uploaded assignment attachments are stored as private files by default. Users are advised to upgrade to version 2.38.0 or later to address this security issue (GitHub Advisory).