CVE-2025-52895

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6	Patch
https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c	Patch
https://github.com/frappe/frappe/pull/31526	Issue Tracking
https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

08 Jul 2025, 14:10

Type	Values Removed	Values Added
First Time		Frappe frappe Frappe
CPE		cpe:2.3:a:frappe:frappe::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6 -~~	() https://github.com/frappe/frappe/commit/c795e351be033070174437324d74f44759a744a6 - Patch
References	~~() https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c -~~	() https://github.com/frappe/frappe/commit/f0933590103c80c6393647dd0403d399e64c951c - Patch
References	~~() https://github.com/frappe/frappe/pull/31526 -~~	() https://github.com/frappe/frappe/pull/31526 - Issue Tracking
References	~~() https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9 -~~	() https://github.com/frappe/frappe/security/advisories/GHSA-mhj8-jfhf-mcw9 - Vendor Advisory
Summary		(es) Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.3 y 15.58.0, se podía realizar una inyección SQL mediante una solicitud especialmente manipulada, lo que podía permitir que personas malintencionadas accedieran a información confidencial. Este problema se ha corregido en las versiones 14.94.3 y 15.58.0. No existen soluciones alternativas aparte de actualizar.

30 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 17:15

Updated : 2025-07-08 14:10

NVD link : CVE-2025-52895

Mitre link : CVE-2025-52895

CVE.ORG link : CVE-2025-52895

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10