CVE-2025-55135

Medium CVSS 6.4

Overview

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.

CWE: CWE-434 Published: 2025-08-07T16:15:31.143

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.4 (MEDIUM)
Detected tags: xss (tag impact: MODERATE)

Recommended actions:

Apply context-aware output encoding.
Enable Content-Security-Policy and HttpOnly/SameSite cookies.

Overview

Recommended tools

Tags