CVE-2025-66205 - Vulnerability Details - OpenCVE

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b
https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9

History

Mon, 01 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Dec 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.
Title		Frappe has the possibility of SQL Injection due to improper validations
Weaknesses		CWE-89
References		https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-12-01T20:26:14.459Z

Updated: 2025-12-01T21:19:52.208Z

Reserved: 2025-11-24T23:01:29.677Z

Link: CVE-2025-66205

Vulnrichment

Updated: 2025-12-01T20:37:38.415Z

NVD

Status : Received

Published: 2025-12-01T21:15:52.443

Modified: 2025-12-01T21:15:52.443

Link: CVE-2025-66205

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66205", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-24T23:01:29.677Z", "datePublished": "2025-12-01T20:26:14.459Z", "dateUpdated": "2025-12-01T21:19:52.208Z"}, "containers": {"cna": {"title": "Frappe has the possibility of SQL Injection due to improper validations", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9"}, {"name": "https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b", "tags": ["x_refsource_MISC"], "url": "https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b"}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"version": ">= 15.0.0, < 15.86.0", "status": "affected"}, {"version": "< 14.99.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-01T20:26:47.841Z"}, "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2."}], "source": {"advisory": "GHSA-mp93-8vxr-hqq9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-01T21:19:47.994059Z", "id": "CVE-2025-66205", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-01T21:19:52.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66205", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-01T20:37:33.509699Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-01T20:37:38.415Z"}}], "cna": {"title": "Frappe has the possibility of SQL Injection due to improper validations", "source": {"advisory": "GHSA-mp93-8vxr-hqq9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frappe", "product": "frappe", "versions": [{"status": "affected", "version": ">= 15.0.0, < 15.86.0"}, {"status": "affected", "version": "< 14.99.2"}]}], "references": [{"url": "https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9", "name": "https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b", "name": "https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-01T20:26:47.841Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66205", "state": "PUBLISHED", "dateUpdated": "2025-12-01T20:37:44.227Z", "dateReserved": "2025-11-24T23:01:29.677Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-01T20:26:14.459Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}