CVE-2025-52898

June 30, 2025, 6:38 p.m.

8.7
High

Description

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

Product(s) Impacted

Vendor Product Versions
Frappe
  • Frappe
  • <14.94.3, <15.58.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a frappe frappe <14.94.3 / / / / / / /
a frappe frappe <15.58.0 / / / / / / /

References

https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2
https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66
https://github.com/frappe/frappe/pull/31522
https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j

Tags

security-advisories@github.com
CWE-200
2025-06-30
CVE-2025-52898

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 30, 2025, 6:15 p.m.
Last Modified: June 30, 2025, 6:38 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.