CVE-2025-64707: 
NixOS vulnerability analysis and mitigation

Frappe Learning, a learning management system, was found to have a vulnerability affecting versions 2.0.0 to 2.41.0. The issue involves a caching problem where role revocation by administrators did not take immediate effect, potentially leading to unauthorized access retention. The vulnerability was disclosed on November 11, 2025, and was assigned CVE-2025-64707 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. Under CVSS v4.0, it received a score of 1.2 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is classified as CWE-863 (Incorrect Authorization) (NVD).

When administrators revoked user roles, the changes were not immediately effective due to caching issues. This delay in role revocation could potentially allow users to retain access privileges temporarily after they should have been removed (GitHub Advisory).

The vulnerability has been fixed in version 2.41.0 by implementing proper cache clearing mechanisms after role updates. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).