Overview
CVE-2025-66205 details a high-severity SQL injection vulnerability discovered in the Frappe framework, a full-stack web application framework commonly used for building applications like ERPNext. This flaw, present in versions prior to 15.86.0 and 14.99.2, could allow attackers to inject malicious SQL code into specific endpoints due to insufficient parameter validation. Successful exploitation could lead to information disclosure, including retrieving version information.
Technical Details
The vulnerability resides in a specific endpoint within the Frappe framework where user-supplied parameters are not properly validated before being used in SQL queries. An attacker could craft a malicious request containing SQL code within these parameters. Due to the error-based nature of the SQL injection, the attacker could glean information from error messages returned by the database, such as the database version or potentially other sensitive data. The specific endpoint and vulnerable parameters are detailed in the commit referenced below.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 7.1 to CVE-2025-66205, indicating a HIGH severity vulnerability.
- CVSS Score: 7.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
This score reflects the relative ease of exploitation and the potential for information disclosure. While the confidentiality impact is rated as low, the ability to glean version information can be used in further attacks.
Possible Impact
Exploitation of CVE-2025-66205 could have the following impacts:
- Information Disclosure: Attackers can potentially retrieve sensitive information, including the database version, which aids in planning further attacks.
- Further Exploitation: Knowledge of the Frappe and database versions can be used to identify and exploit other known vulnerabilities.
Mitigation and Patch Steps
The vulnerability is fixed in Frappe Framework versions 15.86.0 and 14.99.2. To mitigate this vulnerability, it is strongly recommended that you upgrade your Frappe Framework installation to one of these versions or later as soon as possible. If upgrading is not immediately feasible, consider implementing temporary workarounds, such as carefully validating all user input at the application level. However, upgrading remains the most effective and permanent solution.
- Backup your Frappe instance: Before any upgrade, ensure you have a complete backup of your Frappe instance and database.
- Upgrade Frappe Framework: Use the bench update command to upgrade your Frappe Framework installation to version 15.86.0 or 14.99.2 or later.
- Verify the upgrade: After the upgrade, thoroughly test your application to ensure that it is functioning correctly.
