CVE-2025-55731

Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410	Patch
https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd	Patch
https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

22 Aug 2025, 20:53

Type	Values Removed	Values Added
CPE		cpe:2.3:a:frappe:frappe::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Frappe frappe Frappe
References	~~() https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410 -~~	() https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410 - Patch
References	~~() https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd -~~	() https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd - Patch
References	~~() https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2 -~~	() https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2 - Vendor Advisory

22 Aug 2025, 18:09

Type	Values Removed	Values Added
Summary		(es) Frappe es un framework de aplicaciones web integral. Una solicitud cuidadosamente manipulada podría extraer datos a los que el usuario normalmente no tendría acceso mediante inyección SQL. Esta vulnerabilidad está corregida en las versiones 15.74.2 y 14.96.15.

20 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 16:15

Updated : 2025-08-22 20:53

NVD link : CVE-2025-55731

Mitre link : CVE-2025-55731

CVE.ORG link : CVE-2025-55731

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-55731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-20T16:15:42.930", "references": [{"url": "https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frappe/frappe/commit/c2b01e3eb6f50e9bd05df0440f5cbf5dfbc1badd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frappe/frappe/security/advisories/GHSA-5p8f-568f-vfq2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15."}, {"lang": "es", "value": "Frappe es un framework de aplicaciones web integral. Una solicitud cuidadosamente manipulada podr\u00eda extraer datos a los que el usuario normalmente no tendr\u00eda acceso mediante inyecci\u00f3n SQL. Esta vulnerabilidad est\u00e1 corregida en las versiones 15.74.2 y 14.96.15."}], "lastModified": "2025-08-22T20:53:21.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3E4598B-ECB0-4264-9344-0FB6333C5065", "versionEndExcluding": "14.96.15"}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAD3D60D-BEC6-4207-AD31-8078145E5520", "versionEndExcluding": "15.74.2", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}