VYPR
← All advisories
Medium severity6.4OSV Advisory· Published Aug 7, 2025· Updated Apr 15, 2026

CVE-2025-55135

CVE-2025-55135

Description

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Agora fall23-Alpha1 allows remote attackers to execute arbitrary JavaScript by uploading a malicious SVG as a profile picture.

Vulnerability Overview

The vulnerability is a stored cross-site scripting (XSS) issue in Agora Foundation Agora version fall23-Alpha1 and earlier. The root cause is insufficient file type validation in the profile picture upload functionality. The server-side route server/routes/userRoutes.js permitted file formats beyond the intended PNG, JPEG, and WEBP, including SVG. An attacker could upload an SVG file containing malicious JavaScript, which would then be stored and served to other users [1][2].

Exploitation

Exploitation requires an attacker to have an authenticated account on an Agora instance, as the upload endpoint is only accessible to logged-in users. The attacker uploads a crafted SVG file as their profile picture via the uploadProfilePicture route. When other users visit pages that render the profile image (such as user profiles or comment sections), the SVG is rendered in the browser, and the embedded JavaScript executes in the context of the victim’s session [1][3]. No additional user interaction is needed beyond viewing the attacker's profile [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of other users. This can lead to session hijacking, theft of sensitive data (e.g., cookies, tokens), defacement of the UI, or further malicious actions on behalf of the victim. The CVSS v3 score is 6.4 (Medium), reflecting the need for authentication and user interaction in the form of viewing a profile [3].

Mitigation

The issue has been patched in commit 690ce56 on the Agora GitHub repository [4]. The fix adds server-side file type detection using the detect-file-type library, allowing only image/png, image/jpeg, and image/webp MIME types. All users are advised to upgrade to the latest version or apply the commit. No workarounds are documented; blocking SVG uploads at the reverse proxy or application layer may serve as a temporary measure [4].

References
  1. Fix/xss vulnerabilities by Msfv3n0m · Pull Request #556 · agorafoundation/agora
  2. agora/server/controller/userController.js at 90f7f9c217cf1d5dc9d27f5695cd65b61a4c4759 · agorafoundation/agora
  3. CVEs/CVE-2025-55135 at main · Msfv3n0m/CVEs
  4. validate image upload file types · agorafoundation/agora@690ce56

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Agorafoundation/AgoraOSV2 versions
    Archive-tag-pre-ejs-trim, fall23-Alpha1+ 1 more
    • (no CPE)range: Archive-tag-pre-ejs-trim, fall23-Alpha1
    • (no CPE)range: < 690ce56

Patches

1
690ce56f254a

validate image upload file types

https://github.com/agorafoundation/agoraMsfv3n0mJul 17, 2025via osv
commit
1 file changed · +21 1
  • server/routes/userRoutes.js+21 1 modified
    @@ -11,7 +11,8 @@ const router = express.Router( );
 const fs = require( 'fs' );
 const path = require( 'path' );
 const fileUpload = require( "express-fileupload" );
-
+const detect = require('detect-file-type');
+ 
 // controllers
 const userController = require( '../controller/userController' );
 
@@ -69,6 +70,11 @@ router.route( '/revalidate/:email' )
 router.route( '/uploadProfilePicture' )
     .post( async ( req, res ) => {
 
+        const allowedImageTypes = [
+            'image/png',
+            'image/jpeg',
+            'image/webp',
+        ];
 
         if ( !req.files || Object.keys( req.files ).length === 0 ) {
             // no files uploaded
@@ -80,6 +86,12 @@ router.route( '/uploadProfilePicture' )
             // files included
             const file = req.files.profileImage;
             const timeStamp = Date.now();
+            const result = detect.fromBuffer(file.data, function(err, result) {
+                if (err) {
+                    return console.log(err);
+                }
+                return result;
+            });
 
             // check the file size
             if( file.size > maxSize ) {
@@ -90,6 +102,14 @@ router.route( '/uploadProfilePicture' )
                 req.session.messageBody = "Image size was larger then " + maxSizeText + ", please use a smaller file.";
                 res.redirect( 303, '/profile/manageProfile' );
             }
+            // check the file type
+            else if (!result || !allowedImageTypes.includes(result.mime)) {
+                
+                req.session.messageType = "warn";
+                req.session.messageTitle = "Unsupported filetype";
+                req.session.messageBody = "Filetype is unsupported, please use a .png, .jpeg, or .webp file"
+                res.redirect( 303, '/profile/manageProfile' );
+            }
             else {
                 await file.mv( imageUploadPath + timeStamp + file.name, async ( err ) => {
                     if ( err ) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.