Cross-Site Scripting Vulnerability in Agora Foundation's Agora Product
CVE-2025-55135

6.4MEDIUM

Key Information:

Vendor: Agora Foundation
Status: Agora
Vendor: CVE Published:; 7 August 2025

🔔 Create Agora Foundation Vulnerability Alert

What is CVE-2025-55135?

The Agora product by Agora Foundation contains a Cross-Site Scripting (XSS) vulnerability in versions before 690ce56. This vulnerability arises due to the improper handling of profile picture formats, allowing SVG and other non-standard file types to be uploaded without restriction. This flaw can be exploited through server/controller/userController.js, where image file formats are inadequately validated, exposing users to significant risks of malicious content execution.

Affected Version(s)

Agora 0 < 690ce56f254af01375b6033e53a80f14d7cc002e

References

https://github.com/agorafoundation/agora/pull/556

https://github.com/agorafoundation/agora/commit/690ce56f2...

https://github.com/agorafoundation/agora/blob/90f7f9c217c...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2025
Vulnerability Reserved
Aug 7, 2025