CVE-2025-52469 Overview
CVE-2025-52469 is a logic vulnerability affecting Chamilo LMS, an open-source learning management system. The flaw exists in the friend request workflow within Chamilo's social network module, where an authenticated attacker can bypass the normal friend request acceptance flow by directly calling the AJAX endpoint. This allows forced addition of any user—including non-existent users—as a friend without their consent, breaking access control and social interaction logic with significant privacy implications.
Critical Impact
Authenticated attackers can forcibly add any user as a friend by bypassing the friend request workflow, compromising user privacy and social network integrity within the LMS platform.
Affected Products
- Chamilo LMS versions prior to 1.11.30
- Chamilo LMS social network module
- Chamilo LMS AJAX endpoints for friend management
Discovery Timeline
- 2026-03-02 - CVE CVE-2025-52469 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2025-52469
Vulnerability Analysis
The vulnerability stems from improper enforcement of behavioral workflow in Chamilo's social networking feature. The application fails to verify whether a legitimate friend request invitation exists before processing friend acceptance requests. When a user attempts to accept a friend request via the AJAX endpoint at main/inc/ajax/social.ajax.php, the vulnerable code directly creates a mutual friendship relationship without validating that the sender actually sent an invitation to the receiver.
This design flaw allows an authenticated user to manipulate the friend_id parameter in the AJAX call to force-add any user in the system as a friend, completely bypassing the intended invitation-acceptance workflow. The attack requires only low-privilege authenticated access and can be executed remotely over the network without any user interaction.
Root Cause
The root cause is classified under CWE-841 (Improper Enforcement of Behavioral Workflow). The vulnerable code in main/inc/ajax/social.ajax.php immediately processed friend acceptance requests by calling UserManager::relate_users() and SocialManager::invitation_accepted() without first verifying that a pending invitation from the specified friend_id actually existed. This missing validation check allowed attackers to skip the invitation step entirely.
Attack Vector
The attack is network-based and requires only authenticated access with low privileges. An attacker can exploit this vulnerability by:
- Authenticating to the Chamilo LMS platform with any valid user account
- Crafting a direct HTTP request to the AJAX endpoint main/inc/ajax/social.ajax.php
- Supplying an arbitrary friend_id parameter targeting any user in the system
- The system processes the request and creates a bidirectional friendship relationship
The following patch demonstrates how the vulnerability was addressed by adding invitation validation:
}
if (isset($_GET['friend_id'])) {
- $my_current_friend = $_GET['friend_id'];
- UserManager::relate_users($current_user_id, $my_current_friend, $relation_type);
- UserManager::relate_users($my_current_friend, $current_user_id, $relation_type);
- SocialManager::invitation_accepted($my_current_friend, $current_user_id);
- Display::addFlash(
- Display::return_message(get_lang('AddedContactToList'), 'success')
- );
+ $my_current_friend = (int) $_GET['friend_id'];
+
+ if (SocialManager::hasInvitationByUser($current_user_id, $my_current_friend)) {
+ UserManager::relate_users($current_user_id, $my_current_friend, $relation_type);
+ UserManager::relate_users($my_current_friend, $current_user_id, $relation_type);
+ SocialManager::invitation_accepted($my_current_friend, $current_user_id);
+ Display::addFlash(
+ Display::return_message(get_lang('AddedContactToList'), 'success')
+ );
+ }
}
}
Source: GitHub Commit
The fix introduces a new validation function hasInvitationByUser() that checks for pending invitations before processing:
public static function hasInvitationByUser(int $receiverId, int $senderId): bool
{
$result = Database::select(
'count(1) as count',
Database::get_main_table(TABLE_MESSAGE),
[
'where' => [
'user_sender_id = ?' => $senderId,
'AND user_receiver_id = ?' => $receiverId,
'AND msg_status = ?' => MESSAGE_STATUS_INVITATION_PENDING,
],
],
'first'
);
return $result['count'] > 0;
}
Source: GitHub Commit
Detection Methods for CVE-2025-52469
Indicators of Compromise
- Unusual volume of friend requests being processed without corresponding invitation records
- Database entries showing friendship relationships without prior pending invitation status
- HTTP access logs showing direct calls to main/inc/ajax/social.ajax.php with friend_id parameters from suspicious IP addresses
- Users reporting unwanted friend connections they did not approve
Detection Strategies
- Monitor web server access logs for direct requests to the social.ajax.php endpoint with friend_id parameters
- Implement database auditing to detect friendship records created without corresponding invitation entries
- Review authentication logs for accounts making repeated friend acceptance requests in short timeframes
- Deploy web application firewall rules to flag suspicious patterns in social module AJAX calls
Monitoring Recommendations
- Enable detailed logging for all social network module interactions in Chamilo
- Set up alerts for abnormal friendship creation patterns that bypass invitation workflow
- Regularly audit the user relationship tables for integrity violations
- Monitor for automated requests targeting the vulnerable AJAX endpoint
How to Mitigate CVE-2025-52469
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.30 or later immediately
- Review existing user friendships for any suspicious or unauthorized connections
- Audit access logs to identify potential exploitation attempts
- Notify users to review their friend lists for unauthorized additions
Patch Information
The vulnerability has been addressed in Chamilo LMS version 1.11.30. The fix implements proper validation by checking for the existence of a pending invitation before processing friend acceptance requests. The patch adds the hasInvitationByUser() function in main/inc/lib/social.lib.php and integrates the validation check in main/inc/ajax/social.ajax.php.
Patch details are available in the GitHub Commit and the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, restrict access to the social network module until the update is applied
- Implement web application firewall rules to block or monitor requests to main/inc/ajax/social.ajax.php
- Temporarily disable the friend request functionality at the application level
- Apply network-level access controls to limit who can reach the LMS admin and social features
# Example: Block access to vulnerable endpoint using Apache .htaccess
<Files "social.ajax.php">
Order Deny,Allow
Deny from all
# Allow only trusted internal networks
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
