VYPR
Medium severity6.4OSV Advisory· Published Aug 7, 2025· Updated Apr 15, 2026

CVE-2025-55135

CVE-2025-55135

Description

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Agorafoundation/AgoraOSV2 versions
    Archive-tag-pre-ejs-trim, fall23-Alpha1+ 1 more
    • (no CPE)range: Archive-tag-pre-ejs-trim, fall23-Alpha1
    • (no CPE)range: < 690ce56

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.