CVE-2025-11461 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2025-11461?

CVE-2025-11461 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to execute arbitrary SQL commands on Frappe CRM installations by injecting malicious input into dashboard parameters. It affects all users running Frappe CRM version 1.53.1, potentially compromising database confidentiality, integrity, and availability.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands on Frappe CRM installations by injecting malicious input into dashboard parameters. It affects all users running Frappe CRM version 1.53.1, potentially compromising database confidentiality, integrity, and availability.

💻 Affected Systems

Products:

Frappe CRM

Versions: 1.53.1

Operating Systems: All platforms running Frappe CRM

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.53.1 are vulnerable regardless of configuration.

📦 What is this software?

Frappe Crm by Frappe

View all CVEs affecting Frappe Crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access and extraction of sensitive CRM information such as customer data, business records, and user credentials.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - Web applications with SQL injection vulnerabilities are prime targets for automated attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but external exposure increases risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized in automated attacks. The advisory includes technical details that could be used to create exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check pull request #1339 for specific patched version

Vendor Advisory: https://github.com/frappe/crm/pull/1339

Restart Required: Yes

Instructions:

1. Update Frappe CRM to the latest version. 2. Apply the fix from pull request #1339. 3. Restart the application server. 4. Verify the fix by testing dashboard functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation on all dashboard controller parameters to reject suspicious SQL patterns.

Implement parameter validation in dashboard controller code

WAF Rule Deployment

all

Deploy web application firewall rules to block SQL injection patterns in dashboard requests.

Configure WAF to block SQL injection patterns in /api/method/frappe.crm.dashboard.* endpoints

🧯 If You Can't Patch

Implement network segmentation to isolate CRM system from sensitive databases
Enable database auditing and monitor for unusual SQL queries from CRM application

🔍 How to Verify

Check if Vulnerable:

Check if running Frappe CRM version 1.53.1 by examining package version or application metadata.

Check Version:

Check Frappe CRM version in application settings or via package manager: bench version for Frappe installations

Verify Fix Applied:

Test dashboard functionality with SQL injection test payloads (e.g., ' OR '1'='1) and verify they are rejected or properly escaped.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts via dashboard
Long or malformed parameter values in web server logs

Network Indicators:

SQL error messages in HTTP responses
Unusual database connection patterns from web server

SIEM Query:

web_logs WHERE url_path CONTAINS '/api/method/frappe.crm.dashboard' AND (request_params CONTAINS 'UNION' OR request_params CONTAINS 'SELECT' OR request_params CONTAINS 'OR 1=1')

📊 Metadata

CVE ID: CVE-2025-11461

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: November 26, 2025

Last Updated: December 19, 2025

🔗 References

https://fluidattacks.com/advisories/oz Exploit,Third Party Advisory
https://github.com/frappe/crm Product
https://github.com/frappe/crm/pull/1339 Issue Tracking,Patch
https://fluidattacks.com/advisories/oz Exploit,Third Party Advisory
https://github.com/frappe/crm Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11461, you might also want to check these: