CVE-2025-52898

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2	Patch
https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66	Patch
https://github.com/frappe/frappe/pull/31522	Issue Tracking
https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

08 Jul 2025, 14:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 18:15

Updated : 2025-07-08 14:43

NVD link : CVE-2025-52898

Mitre link : CVE-2025-52898

CVE.ORG link : CVE-2025-52898

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-52898", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-30T18:15:25.773", "references": [{"url": "https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frappe/frappe/pull/31522", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users."}, {"lang": "es", "value": "Frappe es un framework de aplicaciones web integral. Antes de las versiones 14.94.3 y 15.58.0, una solicitud cuidadosamente manipulada pod\u00eda permitir que un atacante malicioso accediera al token de restablecimiento de contrase\u00f1a de un usuario. Esto solo se puede explotar en instancias alojadas en servidores propios con una configuraci\u00f3n espec\u00edfica. Los usuarios de Frappe Cloud est\u00e1n seguros. Este problema se ha corregido en las versiones 14.94.3 y 15.58.0. Las soluciones alternativas incluyen verificar las URL de restablecimiento de contrase\u00f1a antes de acceder a ellas o actualizar la versi\u00f3n para usuarios alojados en servidores propios."}], "lastModified": "2025-07-08T14:43:50.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1A94A0B-B5E4-4F08-8817-7BC2C61922AB", "versionEndExcluding": "14.94.3"}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD95653C-461E-44CD-A6D6-918E52A0A895", "versionEndExcluding": "15.58.0", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}