CVE-2025-55731: Frappe Framework SQLi Vulnerability

CVE-2025-55731 Overview

CVE-2025-55731 is a SQL injection vulnerability [CWE-89] in the Frappe full-stack web application framework. A carefully crafted request can extract data that the authenticated user would normally not have access to. The flaw resides in the db_query module, where sanitization of order_by and group_by parameters was insufficient to block sub-query and SQL function abuse. Frappe maintainers fixed the issue in versions 15.74.2 and 14.96.15.

Critical Impact
An authenticated attacker can craft requests that bypass query filters and exfiltrate database records outside their authorized scope, breaking tenant and row-level access controls.

Affected Products

Frappe Framework versions prior to 14.96.15 (14.x branch)
Frappe Framework versions prior to 15.74.2 (15.x branch)
ERPNext and other applications built on vulnerable Frappe versions

Discovery Timeline

2025-08-20 - CVE-2025-55731 published to NVD
2025-08-22 - Last updated in NVD database

Technical Details for CVE-2025-55731

Vulnerability Analysis

Frappe exposes list and report APIs that accept order_by and group_by parameters originating from client requests. The framework passed these parameters through a permissive validator before concatenating them into raw SQL. The validator blocked only a narrow set of patterns, such as the literal substring select combined with from, and the function name sleep.

An authenticated user could supply UNION-based or function-based payloads in the order_by clause to coerce the database into returning rows from tables the user has no permission to read. Because the injection executes within the application's own database session, it inherits the privileges of the Frappe service account, which typically has full read access to every DocType.

Root Cause

The root cause is insufficient input sanitization in frappe/model/db_query.py. The original allowlist relied on simple substring matching. It did not normalize whitespace, did not account for UNION or INTERSECT set operators, and blacklisted only the sleep function. SQL functions such as extractvalue, benchmark, user, current_user, and database were reachable through ordering clauses.

Attack Vector

Exploitation requires network access to the Frappe HTTP endpoints and a valid low-privilege session. The attacker submits a list-view or report request and places injection payloads in the order_by or group_by field. The patch introduces stricter regex matching for sub-query indicators and an expanded blacklist of dangerous SQL functions.

python

# Patch excerpt from frappe/model/db_query.py
if not parameters:
    return

_lower = parameters.lower()

if ORDER_GROUP_PATTERN.match(_lower):
    frappe.throw(_("Illegal SQL Query"))

subquery_indicators = {
    r"union",
    r"intersect",
    r"select\b.*\bfrom",
}

if any(re.search("\b" + pattern + "\b", _lower) for pattern in subquery_indicators):
    frappe.throw(_("Cannot use sub-query here."))

blacklisted_sql_functions = {
    "sleep",
    "benchmark",
    "extractvalue",
    "database",
    "user",
    "current_user",
}
# Source: https://github.com/frappe/frappe/commit/93ee30c638bf7a7e33e2937a0adccac14c38b410

Detection Methods for CVE-2025-55731

Indicators of Compromise

Web server access logs containing order_by or group_by parameters with the keywords UNION, INTERSECT, SELECT ... FROM, extractvalue, or benchmark.
Database error log entries referencing malformed ORDER BY clauses originating from Frappe service accounts.
Anomalous response sizes for list/report API calls that return more rows or columns than the requesting user role should access.
Frappe application logs containing the post-patch error strings Illegal SQL Query or Cannot use sub-query here., indicating attempted exploitation against a patched host.

Detection Strategies

Deploy WAF rules that inspect query string and POST body parameters named order_by and group_by for SQL set operators and blacklisted function names.
Enable MySQL or MariaDB general query logging temporarily on staging to baseline legitimate Frappe ORDER BY patterns, then alert on deviations.
Correlate authenticated session IDs with the volume of DocTypes queried per minute to flag enumeration behavior.

Monitoring Recommendations

Monitor the frappe/model/db_query.py code path for repeated validation failures from the same user account.
Track outbound response payload sizes from /api/method/frappe.client.get_list and report endpoints for sudden growth.
Audit Frappe user roles and review which accounts retain access to list endpoints exposed to the internet.

How to Mitigate CVE-2025-55731

Immediate Actions Required

Upgrade Frappe to version 15.74.2 for the 15.x branch or 14.96.15 for the 14.x branch.
Rebuild and redeploy any downstream applications (including ERPNext) that bundle a vulnerable Frappe release.
Rotate database credentials used by the Frappe service if exploitation is suspected, and review audit logs for unauthorized DocType reads.

Patch Information

The fix is committed in Frappe commit 93ee30c and Frappe commit c2b01e3. Full details are available in the GitHub Security Advisory GHSA-5p8f-568f-vfq2. The patch tightens order_by/group_by sanitization, blocks UNION and INTERSECT sub-queries, and expands the SQL function blacklist.

Workarounds

Restrict Frappe administrative and reporting endpoints to trusted networks or VPN-only access until the patch can be applied.
Deploy a reverse proxy or WAF rule that rejects requests containing union, intersect, or select.*from patterns inside order_by or group_by parameters.
Reduce the attack surface by tightening DocType permissions so that low-privilege users cannot reach list/report APIs against sensitive tables.

bash

# Upgrade Frappe via bench to a patched release
bench switch-to-branch version-15 frappe --upgrade
bench update --reset
bench --site all migrate

# Verify installed Frappe version meets the fix baseline
bench version | grep frappe
# Expected: frappe 15.74.2  (or 14.96.15 on the 14.x branch)