CVE-2025-47942 is a medium-severity vulnerability in the Open edX platform's edx-platform component, specifically related to missing authorization controls (CWE-862). The vulnerability exists in versions of edx-platform prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba. Open edX is a widely used open-source learning management system (LMS) that supports online courses, including those with custom Python-graded problem blocks. The issue arises because the platform did not enforce access restrictions on downloading the python_lib.zip asset from courses. This archive often contains sensitive course materials such as custom grading code or answers to course problems, which if accessed by unauthorized users, could lead to academic integrity violations or intellectual property exposure. Although a temporary mitigation existed in the form of an nginx rule within the openedx/configuration repository since 2016, this was not a permanent fix and the configuration repo has since been deprecated. Additionally, the newer Tutor deployment method apparently lacks similar protections, meaning many current deployments remain vulnerable. The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N), but the impact is limited to confidentiality loss (C:L) without affecting integrity or availability. The recommended fix, implemented in the referenced commit, restricts access to python_lib.zip downloads to authorized course team members and site staff or superusers, thereby preventing unauthorized data exposure. No known exploits have been reported in the wild to date.

For European organizations using Open edX for delivering online education, this vulnerability poses a risk of unauthorized disclosure of sensitive course materials, including grading scripts and answer keys. Such exposure could undermine the integrity of assessments, facilitate cheating, and damage the reputation of educational institutions. Intellectual property embedded in custom grading code could also be leaked, potentially affecting competitive advantage or compliance with data protection policies. While the vulnerability does not directly impact system availability or integrity, the confidentiality breach could have significant academic and operational consequences. Institutions relying on Open edX for certification or regulated training may face compliance challenges if sensitive content is improperly accessed. Given the remote and unauthenticated nature of the exploit, attackers could easily harvest sensitive course data if the platform is not patched or properly configured. This is particularly relevant for European universities, training providers, and corporate learning environments that use Open edX extensively.

European organizations should immediately verify their Open edX deployment version and update to the patched version including commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba or later. For deployments using the deprecated openedx/configuration repo, ensure that the nginx rule restricting access to python_lib.zip is still in place and correctly configured. For those using Tutor or other deployment methods, implement equivalent access controls to restrict downloads of python_lib.zip to authorized course staff and site administrators. Additionally, conduct audits of course assets to identify any sensitive files exposed publicly and remove or secure them. Organizations should also review their course content policies to minimize embedding sensitive grading logic in downloadable assets. Monitoring access logs for unusual download activity of python_lib.zip or similar files can help detect exploitation attempts. Finally, educate course administrators about the importance of restricting access to sensitive course materials and maintaining up-to-date platform versions.