CVE-2025-66205 – This CVE describes an error-based SQL injection... (How to Fix)

Q: What is the severity of CVE-2025-66205?

CVE-2025-66205 has a CVSS score of 7.1 (HIGH). This CVE describes an error-based SQL injection vulnerability in the Frappe web application framework. Attackers can exploit this to retrieve sensitive information like database version details. Organizations using vulnerable Frappe versions (before 15.86.0 or 14.99.2) are affected.

📋 TL;DR

This CVE describes an error-based SQL injection vulnerability in the Frappe web application framework. Attackers can exploit this to retrieve sensitive information like database version details. Organizations using vulnerable Frappe versions (before 15.86.0 or 14.99.2) are affected.

💻 Affected Systems

Products:

Frappe Framework

Versions: All versions before 15.86.0 and 14.99.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable Frappe versions regardless of configuration.

📦 What is this software?

Frappe by Frappe

View all CVEs affecting Frappe →

Frappe by Frappe

View all CVEs affecting Frappe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data exfiltration, privilege escalation, or complete system takeover if combined with other vulnerabilities.

🟠

Likely Case

Information disclosure of database metadata, potentially enabling further attacks or reconnaissance.

🟢

If Mitigated

Limited information leakage with proper input validation and WAF protection in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Error-based SQL injection typically requires some trial and error but is well-understood by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.86.0 or 14.99.2

Vendor Advisory: https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9

Restart Required: Yes

Instructions:

1. Update Frappe to version 15.86.0 or 14.99.2 using bench update command. 2. Restart all Frappe services. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation WAF Rule

all

Implement web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint.

Endpoint Restriction

all

Restrict access to the vulnerable endpoint using network ACLs or authentication requirements.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level.
Deploy a WAF with SQL injection protection rules and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check Frappe version using bench version command and compare against vulnerable versions.

Check Version:

bench version

Verify Fix Applied:

Confirm Frappe version is 15.86.0 or higher (for v15) or 14.99.2 or higher (for v14).

📡 Detection & Monitoring

Log Indicators:

Unusual database error messages in application logs
Repeated requests to vulnerable endpoint with SQL-like parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) to Frappe endpoints

SIEM Query:

source="frappe_logs" AND (error OR sql OR injection)

📊 Metadata

CVE ID: CVE-2025-66205

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

CWE: CWE-89

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: December 1, 2025

Last Updated: December 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66205, you might also want to check these: