SQL Injection Vulnerability in Frappe Framework Affects Sensitive Data Access
CVE-2025-55732

8.7HIGH

Key Information:

Vendor

Frappe

Status
Frappe
Vendor
CVE Published:
20 August 2025

What is CVE-2025-55732?

Frappe, a full-stack web application framework, has encountered a SQL injection vulnerability that could enable attackers to execute arbitrary SQL queries through specially crafted requests. This security flaw poses a significant risk, allowing unauthorized access to sensitive information. Notably, this vulnerability serves as a bypass for the previous patch addressing CVE-2025-52895. Users are urged to upgrade to Frappe Framework versions 15.74.2 or 14.96.15 to mitigate the risks associated with this issue.

Affected Version(s)

frappe >= 15.0.0, < 15.74.2 < 15.0.0, 15.74.2

frappe < 14.96.15 < 14.96.15

References

https://github.com/frappe/frappe/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce...
x_refsource_MISC
https://github.com/frappe/frappe/commit/abe2cc25e333cd794...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-55732 : SQL Injection Vulnerability in Frappe Framework Affects Sensitive Data Access