CVE-2025-64707 LOW

CVE-2025-64707: Frappe LMS revoking access did not show immediate effect as roles were cached

Vendor Frappe

Product lms

Weakness CWE-863 · Incorrect authorization

Published November 12, 2025

Last update November 13, 2025

View on NVD All CVEs

CVSS base score

1.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated.

Key dates

02Disclosure timeline

November 12, 2025 CVE published

November 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64707 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2026-44221 ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases CVE-2025-12038 Folderly <= 0.3 - Incorrect Authorization to Authenticated (Author+) Term Deletion CVE-2026-44169 MariaDB: Authorization bypass in role-based routine-level privilege check exposes stored routine definitions CVE-2020-5239 Unspecified vulnerability in the fetchmail script in Mailu CVE-2021-24207 WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts