Description

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.

INFO

Published Date :

2025-08-07T00:00:00.000Z

Last Modified :

2025-08-08T12:39:00.744Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55135 vulnerability.

Vendors Products
Agora Foundation
  • Agora
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55135.

URL Resource
https://github.com/Msfv3n0m/vulnerability-research/tree/main/CVE-2025-55135 cve-icon cve-icon
https://github.com/agorafoundation/agora/blob/90f7f9c217cf1d5dc9d27f5695cd65b61a4c4759/server/controller/userController.js#L332-L336 cve-icon cve-icon
https://github.com/agorafoundation/agora/commit/690ce56f254af01375b6033e53a80f14d7cc002e cve-icon cve-icon
https://github.com/agorafoundation/agora/pull/556 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact