CVE-2025-47942

Name of the Vulnerable Software and Affected Versions The Open edX Platform versions prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba

Description The issue concerns the Open edX Platform, a learning management platform, where prior to a specific commit, there was no built-in protection against downloading the python lib.zip asset from courses. This asset often contains custom grading code or answers to course problems, posing a concern for courses using custom Python-graded problem blocks. A temporary mitigation was implemented in 2016 through an nginx rule in the openedx/configuration repo, but since this repository has been deprecated and no similar protection was found in Tutor, most deployments likely have no protection against python lib.zip being downloaded.

Recommendations For versions prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, restrict python lib.zip downloads to just the course team and site staff/superusers, as implemented in commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba.