Triple Threat in Frappe Framework: SQL Injection, RCE, and Info Disclosure Fixed in Recent Patches
do son 
Multiple critical security vulnerabilities have been identified in the Frappe Framework, a full-stack web framework powering ERPNext and other database-driven applications.
Frappe is a versatile, Python and Javascript-based web framework that simplifies the development of database-centric applications. Its robust feature set has made it a popular choice for building complex web solutions.
First in the trio is CVE-2025-30212, a SQL injection vulnerability affecting Frappe versions prior to 14.89.0 and 15.51.0. The flaw could allow attackers to inject malicious SQL statements and gain unauthorized access to sensitive information stored in the database. Given the nature of frameworks like Frappe—which rely heavily on user input and dynamic content generation—this type of vulnerability poses a real risk to data confidentiality and integrity.
Upgrade to version 14.89.0 or 15.51.0. No other workaround is currently available.
The second flaw, CVE-2025-30213, is a more insidious vulnerability that allows remote code execution under specific conditions. Prior to versions 14.91.0 and 15.52.0, authenticated system users could craft documents in such a way that they could execute arbitrary code on the server. Although this requires authenticated access, the impact is significant, potentially allowing full system compromise from within the application.
Upgrade to version 14.91.0 or 15.52.0. No workaround is provided, emphasizing the need for immediate patching.
The third and most severe of the set, CVE-2025-30214, carries a CVSS score of 8.0 and enables information disclosure through crafted requests. If exploited, this could lead to account takeover—a critical concern for any application handling sensitive user or business data. Affected versions include those prior to 14.89.0 and 15.51.0.
This vulnerability raises alarm due to its potential to escalate from simple data leaks to full account compromise, underscoring the importance of timely upgrades in software maintenance cycles.
Upgrade to version 14.89.0 or 15.51.0. No workaround is available.
It is imperative that all Frappe Framework users upgrade to the specified patched versions (or later) to protect their applications and data from these security risks.
