CVE-2025-68929 – This vulnerability allows authenticated Frappe ... (How to Fix)

Q: What is the severity of CVE-2025-68929?

CVE-2025-68929 has a CVSS score of 9.0 (CRITICAL). This vulnerability allows authenticated Frappe users with specific permissions to be tricked into clicking malicious links that execute arbitrary code on the server. It affects all Frappe installations running versions before 14.99.6 or 15.88.1, enabling remote code execution through template injection.

📋 TL;DR

This vulnerability allows authenticated Frappe users with specific permissions to be tricked into clicking malicious links that execute arbitrary code on the server. It affects all Frappe installations running versions before 14.99.6 or 15.88.1, enabling remote code execution through template injection.

💻 Affected Systems

Products:

Frappe Framework

Versions: All versions before 14.99.6 and 15.88.1

Operating Systems: All platforms running Frappe

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with specific permissions, but default configurations may include vulnerable permission sets.

📦 What is this software?

Frappe by Frappe

View all CVEs affecting Frappe →

Frappe by Frappe

View all CVEs affecting Frappe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Attacker gains shell access to execute arbitrary commands, potentially accessing sensitive data and modifying application behavior.

🟢

If Mitigated

With proper access controls and network segmentation, impact limited to isolated application server.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to trick authenticated users into clicking malicious links, but technical exploitation is straightforward once link is accessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.99.6 or 15.88.1

Vendor Advisory: https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh

Restart Required: Yes

Instructions:

1. Backup your Frappe installation and database. 2. Update Frappe using bench: 'bench update --frappe'. 3. Verify version with 'bench version'. 4. Restart all bench processes: 'bench restart'.

🔧 Temporary Workarounds

No official workarounds

all

Vendor states no known workarounds exist

🧯 If You Can't Patch

Implement strict access controls to limit user permissions, especially template-related permissions
Deploy web application firewall with template injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check Frappe version with 'bench version' or examine frappe/__init__.py for version number

Check Version:

bench version

Verify Fix Applied:

Confirm version is 14.99.6 or higher for v14 branch, or 15.88.1 or higher for v15 branch

📡 Detection & Monitoring

Log Indicators:

Unusual template execution patterns
Suspicious file operations from Frappe processes
Unexpected system command execution

Network Indicators:

Outbound connections from Frappe server to unknown destinations
Unusual data exfiltration patterns

SIEM Query:

source="frappe.logs" AND ("template.execute" OR "system.call" OR "os.system")

📊 Metadata

CVE ID: CVE-2025-68929

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.15% exploit probability (35.5th percentile)

Published: December 29, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/frappe/frappe/releases/tag/v14.99.6 Release Notes
https://github.com/frappe/frappe/releases/tag/v15.88.1 Release Notes
https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68929, you might also want to check these: