CVE-2025-55731

Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410	Patch
https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd	Patch
https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

No history.

Information

Published : 2025-08-20 16:15

Updated : 2025-08-22 20:53

NVD link : CVE-2025-55731

Mitre link : CVE-2025-55731

CVE.ORG link : CVE-2025-55731

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-55731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-20T16:15:42.930", "references": [{"url": "https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15."}, {"lang": "es", "value": "Frappe es un framework de aplicaciones web integral. Una solicitud cuidadosamente manipulada podr\u00eda extraer datos a los que el usuario normalmente no tendr\u00eda acceso mediante inyecci\u00f3n SQL. Esta vulnerabilidad est\u00e1 corregida en las versiones 15.74.2 y 14.96.15."}], "lastModified": "2025-08-22T20:53:21.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3E4598B-ECB0-4264-9344-0FB6333C5065", "versionEndExcluding": "14.96.15"}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAD3D60D-BEC6-4207-AD31-8078145E5520", "versionEndExcluding": "15.74.2", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}