CVE-2025-67289 – This critical vulnerability in Frappe Framework... (How to Fix)

Q: What is the severity of CVE-2025-67289?

CVE-2025-67289 has a CVSS score of 9.6 (CRITICAL). This critical vulnerability in Frappe Framework's Attachments module allows attackers to upload malicious XML files that can lead to remote code execution. It affects all systems running Frappe Framework v15.89.0. Attackers can potentially take full control of affected servers.

📋 TL;DR

This critical vulnerability in Frappe Framework's Attachments module allows attackers to upload malicious XML files that can lead to remote code execution. It affects all systems running Frappe Framework v15.89.0. Attackers can potentially take full control of affected servers.

💻 Affected Systems

Products:

Frappe Framework

Versions: v15.89.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the Attachments module. ERPNext and other Frappe-based applications may also be vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems in the network.

🟠

Likely Case

Webshell deployment leading to data exfiltration, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if file uploads are restricted to authenticated users only and input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires file upload capability but is straightforward once access is obtained. XML file parsing leads to code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v15.90.0 or later

Vendor Advisory: http://frappe.com

Restart Required: Yes

Instructions:

1. Backup your Frappe instance. 2. Update Frappe Framework to v15.90.0 or later using 'bench update'. 3. Restart all services with 'bench restart'. 4. Verify the update with 'bench version'.

🔧 Temporary Workarounds

Disable XML file uploads

all

Configure the Attachments module to reject XML file uploads entirely

Modify site_config.json to add: {"file_upload_restrictions": {"blocked_extensions": ["xml"]}}

Implement file type validation

all

Add server-side validation to check file content, not just extensions

Add custom validation in hooks.py to inspect file magic numbers

🧯 If You Can't Patch

Implement WAF rules to block XML file uploads to the attachments endpoint
Restrict file upload permissions to trusted users only and monitor upload activity

🔍 How to Verify

Check if Vulnerable:

Check Frappe version with: bench version | grep frappe

Check Version:

bench version

Verify Fix Applied:

Confirm version is v15.90.0 or later: bench version

📡 Detection & Monitoring

Log Indicators:

XML file uploads to /api/method/upload_file
Unusual file size or content in upload logs
Execution of system commands from web process

Network Indicators:

POST requests with XML files to upload endpoints
Outbound connections from web server to unknown IPs

SIEM Query:

source="frappe.log" AND "upload_file" AND file_extension="xml"

📊 Metadata

CVE ID: CVE-2025-67289

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: December 22, 2025

Last Updated: February 8, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

http://erpnext.com Product
http://frappe.com Broken Link
https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67289, you might also want to check these: