Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30213

CVE-2025-30213: Frappe Framework RCE Vulnerability

CVE-2025-30213 is a remote code execution vulnerability in Frappe Framework that allows system users to execute arbitrary code through document creation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-30213 Overview

CVE-2025-30213 affects Frappe, a full-stack web application framework used to build business applications including ERPNext. The vulnerability allows an authenticated system user to craft specific documents in a way that leads to remote code execution on the underlying server. The flaw stems from improper input validation [CWE-20] in document creation workflows. Frappe maintainers released fixes in versions 14.91.0 and 15.52.0 to address the issue. There is no workaround available, so administrators must upgrade affected installations.

Critical Impact

An authenticated low-privilege system user can achieve remote code execution on the Frappe server, compromising confidentiality, integrity, and availability of the application and underlying host.

Affected Products

  • Frappe Framework versions prior to 14.91.0 (v14 branch)
  • Frappe Framework versions prior to 15.52.0 (v15 branch)
  • Applications built on vulnerable Frappe versions, including ERPNext deployments

Discovery Timeline

  • 2025-03-25 - CVE-2025-30213 published to NVD
  • 2025-08-01 - Last updated in NVD database

Technical Details for CVE-2025-30213

Vulnerability Analysis

The vulnerability resides in Frappe's document creation logic. Frappe exposes document operations through its REST and RPC APIs, where users with valid session credentials submit structured payloads to create or modify records. The framework failed to properly validate specific fields or document configurations during creation. An attacker who crafts a document with malicious parameters triggers server-side code execution within the Frappe process context.

The weakness is classified under [CWE-20] Improper Input Validation. Because the attack requires only standard system user credentials and network access to the application, the bar for exploitation is low in environments where account provisioning is open or self-service.

Successful exploitation impacts confidentiality, integrity, and availability of the application. An attacker can read business data, modify records, deploy persistent backdoors, and pivot into connected systems such as databases and integration endpoints.

Root Cause

The root cause is missing or insufficient sanitization of attributes within document creation requests. Frappe processed certain user-controlled values without adequate type or content checks, allowing input intended as data fields to influence code execution paths. The maintainers addressed this in commits shipped with versions 14.91.0 and 15.52.0.

Attack Vector

The attack is performed over the network against the Frappe HTTP API. The attacker authenticates as any system user — including a self-registered account where signup is enabled — then submits a malicious document creation request. No user interaction is required, and the attack complexity is low. Refer to the Frappe GitHub Security Advisory GHSA-v342-4xr9-x3q3 for vendor details.

Detection Methods for CVE-2025-30213

Indicators of Compromise

  • Unexpected child processes spawned by the Frappe or Gunicorn worker process, such as shells, python, curl, or wget.
  • New or modified files in Frappe sites/, apps/, or private/files/ directories created outside normal deployment windows.
  • Anomalous document creation API calls (/api/method/frappe.client.insert, /api/resource/) from low-privilege user sessions containing unusual field values.
  • Outbound network connections from the application server to unfamiliar hosts following document creation events.

Detection Strategies

  • Audit Frappe application logs for document creation events originating from non-administrative accounts, especially those targeting DocTypes that accept code or script fields.
  • Correlate web access logs with process execution telemetry on the host to identify request-to-shell sequences.
  • Hunt for newly created or modified Server Scripts, Client Scripts, and Custom Scripts within the Frappe database.

Monitoring Recommendations

  • Enable verbose audit logging for the DocType, Server Script, and Custom Field resources and forward logs to a central SIEM.
  • Monitor the Frappe process tree for unexpected child processes and file writes outside the application bench directory.
  • Track authentication events and flag accounts that perform document creation immediately after first login.

How to Mitigate CVE-2025-30213

Immediate Actions Required

  • Upgrade Frappe to version 14.91.0 (v14 branch) or 15.52.0 (v15 branch) or later without delay.
  • Disable self-service user registration on internet-exposed Frappe instances until the upgrade is complete.
  • Review the user list and revoke unused or unfamiliar system user accounts.
  • Inspect Server Scripts, Client Scripts, and scheduled jobs for unauthorized modifications.

Patch Information

Frappe published patches in versions 14.91.0 and 15.52.0. The advisory is tracked as GHSA-v342-4xr9-x3q3. Operators using the bench tool should run bench update --patch after pinning to a patched release. No backports are available for earlier branches.

Workarounds

  • No workaround exists. The vendor advisory states that an upgrade is required to remediate the vulnerability.
  • As a compensating control until patching, restrict network access to the Frappe instance via VPN or IP allowlists and remove document creation permissions from low-trust roles.
bash
# Upgrade Frappe using bench to a patched release
cd /home/frappe/frappe-bench
bench switch-to-branch version-15 frappe --upgrade
bench update --reset
bench --site all migrate
bench restart

# Verify installed version meets the patched baseline
bench version | grep frappe

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne