CVE-2025-64705: 
NixOS vulnerability analysis and mitigation

Frappe Learning, a learning management system, was found to contain a security vulnerability (CVE-2025-64705) that allowed users to access submissions made by other students. The vulnerability affected versions from 2.0.0 up to version 2.41.0. The issue was discovered and disclosed on November 11, 2025, and was subsequently patched in version 2.41.0 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Under CVSS v4.0, it received a score of 1.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allowed users to view submissions made by other students within the Frappe Learning system, compromising the confidentiality of student work and potentially affecting the academic integrity of the platform (GitHub Advisory).

The vulnerability has been patched in version 2.41.0 of Frappe Learning. The fix implements proper role-based access controls and includes redirects when attempting to access submissions via direct URLs. Users are advised to upgrade to version 2.41.0 or later to mitigate this vulnerability (GitHub Advisory).