CVE-2025-52898

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2	Patch
https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66	Patch
https://github.com/frappe/frappe/pull/31522	Issue Tracking
https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

08 Jul 2025, 14:43

Type	Values Removed	Values Added
First Time		Frappe frappe Frappe
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:frappe:frappe::::::::
References	~~() https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2 -~~	() https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2 - Patch
References	~~() https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66 -~~	() https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66 - Patch
References	~~() https://github.com/frappe/frappe/pull/31522 -~~	() https://github.com/frappe/frappe/pull/31522 - Issue Tracking
References	~~() https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j -~~	() https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j - Vendor Advisory
Summary		(es) Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.3 y 15.58.0, una solicitud cuidadosamente manipulada podía permitir que un atacante malicioso accediera al token de restablecimiento de contraseña de un usuario. Esto solo se puede explotar en instancias alojadas en servidores propios con una configuración específica. Los usuarios de Frappe Cloud están seguros. Este problema se ha corregido en las versiones 14.94.3 y 15.58.0. Las soluciones alternativas incluyen verificar las URL de restablecimiento de contraseña antes de acceder a ellas o actualizar la versión para usuarios alojados en servidores propios.

30 Jun 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 18:15

Updated : 2025-07-08 14:43

NVD link : CVE-2025-52898

Mitre link : CVE-2025-52898

CVE.ORG link : CVE-2025-52898

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

8.8 /10