平台
other
组件
polarlearn
修复版本
0.0.1
CVE-2026-25221 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PolarLearn, a free and open-source learning program. This flaw allows attackers to leverage the OAuth 2.0 implementation for GitHub and Google login providers to hijack user sessions. The vulnerability exists in versions up to v0-PRERELEASE-15, and a fix is available in version 0.0.1.
An attacker can exploit this CSRF vulnerability to trick a legitimate user into unknowingly performing actions on their behalf within PolarLearn. Specifically, the attacker can pre-authenticate a session using the victim's GitHub or Google account. Any data the victim subsequently enters, such as academic progress or personal information, will be stored on the attacker's account, leading to data loss for the victim. Furthermore, the attacker gains access to information associated with the victim's account, resulting in information disclosure. This vulnerability highlights the importance of proper state parameter validation in OAuth 2.0 flows.
CVE-2026-25221 was publicly disclosed on 2026-02-02. There is currently no known public proof-of-concept (POC) available. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is currently considered low due to the lack of a public POC and the relatively recent disclosure.
Educational institutions and individuals using PolarLearn for online learning are at risk. Specifically, users who rely on GitHub or Google for authentication are particularly vulnerable. Those using older, unpatched versions of PolarLearn are most susceptible to exploitation.
disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-25221 is to immediately upgrade PolarLearn to version 0.0.1 or later, which contains the fix for this CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which PolarLearn can load resources. Additionally, educate users about the risks of clicking on suspicious links or visiting untrusted websites while logged into PolarLearn. While a WAF may offer some protection, it is not a substitute for patching the application.
将PolarLearn升级到0-PRERELEASE-15之后的版本。这修复了GitHub和Google登录提供商的OAuth 2.0身份验证中的CSRF漏洞。升级实现了在身份验证流程中对state参数的验证,防止攻击者预先认证一个会话并欺骗受害者登录到攻击者的帐户。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25221 is a Cross-Site Request Forgery (CSRF) vulnerability in PolarLearn versions up to v0-PRERELEASE-15, allowing attackers to hijack user sessions via GitHub and Google OAuth login.
You are affected if you are using PolarLearn versions prior to 0.0.1 and rely on GitHub or Google for authentication.
Upgrade PolarLearn to version 0.0.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as a temporary mitigation.
There is currently no confirmed active exploitation of CVE-2026-25221, but the lack of a public proof-of-concept does not guarantee safety.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.