Chamilo LMS is an open-source learning management system widely used by educational institutions and organizations for online learning. The vulnerability identified as CVE-2025-52469 resides in the social network module's friend request workflow prior to version 1.11.30. Normally, friend requests require a two-step process: sending a request and receiving acceptance. However, due to improper enforcement of the workflow logic (CWE-841), an authenticated user can bypass this process by directly calling the AJAX endpoint responsible for adding friends. This allows the attacker to forcibly add any user as a friend without their consent, including users that do not exist in the system. This flaw breaks the intended access control and social interaction logic, potentially leading to privacy violations such as unauthorized access to user profiles or social data. The vulnerability requires authentication but no user interaction, and the attack vector is network-based with low complexity. The CVSS 3.1 score of 7.1 reflects a high severity due to the high impact on integrity (unauthorized friend additions) and low impact on confidentiality (limited data exposure) and no impact on availability. The issue has been addressed and patched in Chamilo LMS version 1.11.30. No known exploits have been reported in the wild, but the vulnerability poses a risk to organizations relying on affected versions for secure social interactions within their LMS environment.

The primary impact of CVE-2025-52469 is the unauthorized manipulation of social connections within the Chamilo LMS platform. Attackers can forcibly add users as friends without their consent, which can lead to privacy breaches by exposing personal or academic information intended only for trusted contacts. This undermines the trust model of the social network module and can facilitate further social engineering or targeted attacks within the LMS community. Although the vulnerability does not directly compromise system availability or allow remote code execution, the integrity of user relationships and access controls is compromised. Organizations using affected versions may face reputational damage, loss of user trust, and potential compliance issues related to data privacy regulations. The ability to add non-existent users may also cause data inconsistencies or application errors. Since the flaw requires authenticated access, insider threats or compromised accounts can exploit this vulnerability more easily. Overall, the impact is significant in environments where social networking features are critical for collaboration and communication.

To mitigate CVE-2025-52469, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. Until the upgrade is applied, administrators should consider disabling the social network module or restricting access to the friend request functionality to trusted users only. Implementing strict authentication and monitoring for unusual friend addition patterns can help detect exploitation attempts. Additionally, reviewing and tightening access control policies around AJAX endpoints and validating all client-side requests on the server side can prevent similar workflow bypass issues. Regularly auditing user relationships and logs for anomalies can also aid in early detection. Educating users about the risks of unauthorized friend connections and encouraging reporting of suspicious activity will enhance overall security posture. Finally, applying the principle of least privilege to user roles within the LMS reduces the risk of exploitation by limiting who can access social features.