Cybersecurity Vulnerabilities

CVE-2025-65267: Critical XSS Vulnerability Found in ERPNext and Frappe Framework

December 3, 2025 - By 

Overview

CVE-2025-65267 details a stored Cross-Site Scripting (XSS) vulnerability affecting ERPNext v15.83.2 and Frappe Framework v15.86.0. This vulnerability stems from the improper validation of uploaded SVG avatar images. An attacker can embed malicious JavaScript within an SVG file, which then executes when an administrator views the avatar image. This could lead to severe consequences, including account takeover, privilege escalation, and complete compromise of the ERPNext instance.

Technical Details

The vulnerability lies in the insufficient sanitization of SVG avatar images uploaded by users. The affected software fails to adequately strip potentially harmful JavaScript code embedded within the SVG markup. Specifically, when an administrator clicks on the user’s avatar image to view it, the malicious script within the SVG is executed in the administrator’s browser context. This is a stored XSS vulnerability because the malicious payload is stored on the server (as part of the avatar) and is executed whenever the affected resource is accessed.

CVSS Analysis

The provided information indicates that the CVSS score and severity are currently unavailable. It is crucial to monitor updates from the ERPNext and Frappe Framework teams for a complete vulnerability assessment and assigned score. We will update this article when the CVSS score becomes available.

Possible Impact

Successful exploitation of CVE-2025-65267 can have serious consequences:

  • Account Takeover: An attacker could steal the administrator’s session cookie or credentials, gaining complete control over the administrator’s account.
  • Privilege Escalation: An attacker with a lower-privileged account could leverage the XSS to gain administrative privileges.
  • Data Theft: The attacker could access and steal sensitive data stored within the ERPNext instance.
  • System Compromise: The attacker could inject malicious code to further compromise the server and potentially other systems on the network.

Mitigation or Patch Steps

The recommended mitigation is to upgrade to a patched version of ERPNext and Frappe Framework as soon as it becomes available. Until a patch is released, consider the following workarounds:

  • Disable SVG Avatar Uploads (Temporary): As a temporary measure, disable the ability for users to upload SVG avatars.
  • Strict Content Security Policy (CSP): Implement a strict Content Security Policy (CSP) to restrict the execution of inline JavaScript.
  • Input Validation: Thoroughly validate and sanitize all user-uploaded content, including SVG images, to remove any potentially malicious code. Ensure that the server-side validation libraries being used are up-to-date.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

Always refer to the official ERPNext and Frappe Framework documentation for the most up-to-date security advisories and patch information.

References

CVE-2025-65267 Details on GitHub
ERPNext GitHub Repository
Frappe Framework GitHub Repository

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *