CVE-2025-64707: 
NixOS vulnerability analysis and mitigation

Frappe Learning, a learning management system, was found to have a vulnerability affecting versions 2.0.0 to 2.41.0. The vulnerability (CVE-2025-64707) involves a caching issue where role revocation by administrators did not take immediate effect. This security flaw was discovered and disclosed on November 11, 2025, with a patch released in version 2.41.0 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. Under CVSS v4.0, it received a score of 1.2 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is classified as CWE-863 (Incorrect Authorization) (NVD).

When administrators revoked a user's role, the changes were not immediately reflected in the system due to caching issues. This delay in role revocation could potentially allow users to retain access to resources temporarily after their permissions were officially revoked (GitHub Advisory).

The vulnerability has been fixed in version 2.41.0 by implementing proper cache clearing mechanisms after role updates. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).