Path Traversal Vulnerability in Frappe Framework Affecting Multiple Versions
CVE-2025-66206

6.8MEDIUM

Key Information:

Vendor: Frappe
Status: Frappe
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66206?

The Frappe Framework prior to versions 15.86.0 and 14.99.2 is susceptible to path traversal attacks. This vulnerability allows attackers to access sensitive files from the server if they possess knowledge of the file path. Users hosting applications on Frappe Cloud and setups behind reverse proxies, such as NGINX, are not affected. However, those directly using werkzeug/gunicorn are at risk. It is highly recommended to upgrade to the latest versions or implement a reverse proxy configuration to mitigate potential threats.

Affected Version(s)

frappe >= 15.0.0, < 15.86.0 < 15.0.0, 15.86.0

frappe < 14.99.2 < 14.99.2

References

https://github.com/frappe/frappe/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 24, 2025

JSON