CVE-2025-55135

Description

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.

Category

6.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: Agora Foundation Agora
Published at:
Updated at:

References

Link Tags
https://github.com/agorafoundation/agora/pull/556
https://github.com/agorafoundation/agora/commit/690ce56f254af01375b6033e53a80f14d7cc002e
https://github.com/agorafoundation/agora/blob/90f7f9c217cf1d5dc9d27f5695cd65b61a4c4759/server/controller/userController.js#L332-L336
https://github.com/Msfv3n0m/vulnerability-research/tree/main/CVE-2025-55135

Frequently Asked Questions

What is the severity of CVE-2025-55135?
CVE-2025-55135 has been scored as a medium severity vulnerability.
How to fix CVE-2025-55135?
To fix CVE-2025-55135, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-55135 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-55135 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-55135?
CVE-2025-55135 affects Agora Foundation Agora.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.