CVE-2025-30213 – This vulnerability in Frappe framework allows a... (How to Fix)

Q: What is the severity of CVE-2025-30213?

CVE-2025-30213 has a CVSS score of 8.8 (HIGH). This vulnerability in Frappe framework allows authenticated system users to create documents in a specific way that leads to remote code execution. It affects all Frappe installations running versions before 14.91.0 or 15.52.0. The vulnerability requires user authentication but grants significant privilege escalation.

📋 TL;DR

This vulnerability in Frappe framework allows authenticated system users to create documents in a specific way that leads to remote code execution. It affects all Frappe installations running versions before 14.91.0 or 15.52.0. The vulnerability requires user authentication but grants significant privilege escalation.

💻 Affected Systems

Products:

Frappe Framework

Versions: All versions before 14.91.0 and all versions before 15.52.0

Operating Systems: All operating systems running Frappe

Default Config Vulnerable: ⚠️ Yes

Notes: All default Frappe installations are vulnerable. The vulnerability requires authenticated access but affects system users with document creation privileges.

📦 What is this software?

Frappe by Frappe

View all CVEs affecting Frappe →

Frappe by Frappe

View all CVEs affecting Frappe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Privilege escalation where authenticated users can execute arbitrary code, potentially accessing sensitive data or modifying system configurations.

🟢

If Mitigated

Limited impact if proper authentication controls and least privilege principles are enforced, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and specific document creation techniques. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.91.0 or 15.52.0

Vendor Advisory: https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3

Restart Required: No

Instructions:

1. Identify your Frappe version. 2. Upgrade to version 14.91.0 if on version 14.x. 3. Upgrade to version 15.52.0 if on version 15.x. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

No workaround available

all

The vendor states there is no workaround for this vulnerability. Immediate patching is required.

🧯 If You Can't Patch

Restrict document creation privileges to only essential users
Implement network segmentation to isolate Frappe instances from critical systems

🔍 How to Verify

Check if Vulnerable:

Check your Frappe version. If running version below 14.91.0 (for v14) or below 15.52.0 (for v15), you are vulnerable.

Check Version:

bench version

Verify Fix Applied:

Verify the Frappe version shows 14.91.0 or higher (for v14) or 15.52.0 or higher (for v15) after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual document creation patterns
System user performing unexpected document operations
Error logs related to document processing

Network Indicators:

Unusual outbound connections from Frappe server
Suspicious process execution patterns

SIEM Query:

source="frappe" AND (event="document_creation" OR event="system_user_action") AND status="success" | stats count by user, document_type

📊 Metadata

CVE ID: CVE-2025-30213

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.72% exploit probability (72th percentile)

Published: March 25, 2025

Last Updated: August 1, 2025

🔗 References

https://github.com/frappe/frappe/security/advisories/GHSA-v342-4xr9-x3q3 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30213, you might also want to check these: