CVE-2025-66205

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b	Patch
https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

No history.

Information

Published : 2025-12-01 21:15

Updated : 2025-12-04 18:49

NVD link : CVE-2025-66205

Mitre link : CVE-2025-66205

CVE.ORG link : CVE-2025-66205

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-66205", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-12-01T21:15:52.443", "references": [{"url": "https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2."}], "lastModified": "2025-12-04T18:49:12.557", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F7C6678-1529-4C46-BF75-8647AF1170C9", "versionEndExcluding": "14.99.2"}, {"criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63006503-DD78-47D9-ACDE-9D3480FAE9F6", "versionEndExcluding": "15.86.0", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}