CVE-2025-66206
📋 TL;DR
This CVE describes a path traversal vulnerability in Frappe web framework that allows attackers to retrieve arbitrary files from the server if the full path is known. It affects direct deployments using werkzeug/gunicorn without a reverse proxy. Sites behind reverse proxies like NGINX or hosted on Frappe Cloud are not vulnerable.
💻 Affected Systems
- Frappe Framework
📦 What is this software?
Frappe by Frappe
Frappe by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Sensitive server files (configuration files, credentials, source code) could be exfiltrated, potentially leading to complete system compromise.
Likely Case
Unauthorized access to readable files within the application directory or server filesystem, potentially exposing configuration data or sensitive information.
If Mitigated
No impact when proper reverse proxy configuration is in place or when using unaffected hosting platforms.
🎯 Exploit Status
Exploitation requires knowledge of file paths on the target system. No authentication is required for vulnerable configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.86.0 or 14.99.2
Vendor Advisory: https://github.com/frappe/frappe/security/advisories/GHSA-v4wg-gqfr-rpjm
Restart Required: Yes
Instructions:
1. Backup your Frappe site and database. 2. Update Frappe using bench: 'bench update --patch'. 3. Alternatively, manually update to version 15.86.0 or 14.99.2. 4. Restart the Frappe application services.
🔧 Temporary Workarounds
Deploy behind reverse proxy
linuxConfigure NGINX or another reverse proxy in front of the Frappe application to block path traversal attempts.
# Configure NGINX with proper security headers and path restrictions
# Example NGINX location block:
location / {
proxy_pass http://frappe_app:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
🧯 If You Can't Patch
- Deploy a reverse proxy (NGINX, Apache) in front of the Frappe application with proper path restrictions.
- Implement network segmentation and firewall rules to restrict access to vulnerable systems.
🔍 How to Verify
Check if Vulnerable:
Check Frappe version using 'bench version' or examine the frappe/__init__.py file for version number. If version is below 15.86.0 (for v15) or 14.99.2 (for v14), the system is vulnerable.Check Version:
bench version | grep frappeVerify Fix Applied:
After patching, verify version is 15.86.0 or higher (v15) or 14.99.2 or higher (v14) using 'bench version'. Test with controlled path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- Multiple failed attempts to access non-existent files with path traversal patterns (../, ..\)
- Requests for known sensitive file paths
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\) targeting the Frappe application
SIEM Query:
source="frappe_logs" AND (uri="*../*" OR uri="*..\*")