CVE-2025-55732 Overview
CVE-2025-55732 is a SQL injection vulnerability in the Frappe full-stack web application framework. The flaw affects all versions prior to 15.74.2 and 14.96.15. An authenticated attacker can submit specially crafted requests that bypass the original patch issued for CVE-2025-52895, enabling injection of arbitrary SQL into backend queries. Successful exploitation exposes sensitive database contents to unauthorized users. The issue is tracked under [CWE-89] and carries a CVSS v4.0 base score of 8.7. The maintainers addressed the bypass in commits 24dd2d9 and abe2cc2, included in Frappe 15.74.2 and 14.96.15.
Critical Impact
Authenticated attackers can extract sensitive database records via crafted Dashboard Chart requests that bypass the prior CVE-2025-52895 fix.
Affected Products
- Frappe Framework versions prior to 15.74.2 (15.x branch)
- Frappe Framework versions prior to 14.96.15 (14.x branch)
- Applications built on Frappe (including ERPNext deployments) using these versions
Discovery Timeline
- 2025-08-20 - CVE-2025-55732 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-55732
Vulnerability Analysis
The vulnerability resides in the Dashboard Chart permission query logic at frappe/desk/doctype/dashboard_chart/dashboard_chart.py. The original fix for CVE-2025-52895 restricted the permission query to chart types Count, Sum, and Average, but failed to account for the Group By chart type. An authenticated user able to submit requests against Dashboard Chart endpoints can supply Group By chart parameters that flow into dynamic SQL construction without proper sanitization. The result is a SQL injection primitive returning data the attacker is not authorized to view.
Root Cause
The root cause is incomplete input filtering in the permission query builder. The allow-list of chart types omitted Group By, leaving an unguarded code path where attacker-controlled values were concatenated into raw SQL. This classifies as an Improper Neutralization of Special Elements used in an SQL Command [CWE-89].
Attack Vector
The attacker must hold valid low-privilege credentials on the Frappe instance. From there, the attacker issues HTTP requests to Dashboard Chart APIs with a Group By chart configuration containing malicious SQL fragments. The crafted payload is incorporated into the server-side query and executed by the database backend, returning data across the application's tables.
# Patch diff: frappe/desk/doctype/dashboard_chart/dashboard_chart.py
# Adds 'Group By' to the allow-list checked in the permission query.
or `tabDashboard Chart`.`module` is NULL""".format(allowed_modules=",".join(allowed_modules))
return f"""
- ((`tabDashboard Chart`.`chart_type` in ('Count', 'Sum', 'Average')
+ ((`tabDashboard Chart`.`chart_type` in ('Count', 'Sum', 'Average', 'Group By')
and {doctype_condition})
or
(`tabDashboard Chart`.`chart_type` = 'Report'
Source: Frappe Commit 24dd2d9 and Frappe Commit abe2cc2
Detection Methods for CVE-2025-55732
Indicators of Compromise
- HTTP requests to Dashboard Chart endpoints containing chart_type=Group By with unusual group_by_based_on, document_type, or filter values containing SQL meta-characters such as ', --, UNION, or SLEEP(.
- Database query logs showing unexpected UNION SELECT, time-delay functions, or queries referencing tables outside the Dashboard Chart context originating from the Frappe application user.
- Sudden spikes in 500 errors or query latency on /api/method/frappe.desk.* endpoints from a single authenticated session.
Detection Strategies
- Inspect web server access logs for authenticated requests to Dashboard Chart APIs that include SQL syntax characters in chart parameters.
- Enable MariaDB or MySQL general query logging temporarily and correlate suspicious queries with Frappe session identifiers.
- Compare deployed Frappe version against 15.74.2 and 14.96.15 using bench version to confirm patch status.
Monitoring Recommendations
- Forward Frappe application logs and database query logs to a centralized analytics platform to enable correlation of authenticated session activity with anomalous SQL patterns.
- Alert on any low-privilege account accessing Dashboard Chart endpoints with non-standard parameter payloads.
- Track outbound data volume from the database tier to identify mass extraction attempts following suspicious chart requests.
How to Mitigate CVE-2025-55732
Immediate Actions Required
- Upgrade Frappe to version 15.74.2 (15.x branch) or 14.96.15 (14.x branch) immediately.
- Audit Dashboard Chart records and user permissions to identify accounts that may have abused the flaw prior to patching.
- Rotate any database credentials or API keys that may have been exposed through SQL injection responses.
- Review user session and audit logs for the period preceding the upgrade for evidence of exploitation.
Patch Information
The maintainers fixed the bypass by extending the chart type allow-list in the permission query builder to include Group By. The fix is delivered in commits 24dd2d9 and abe2cc2, available in Frappe 15.74.2 and 14.96.15. Full details are documented in the GitHub Security Advisory GHSA-6rpr-2hjx-w9vp.
Workarounds
- Restrict access to Dashboard Chart creation and read permissions to trusted administrative roles until the upgrade is applied.
- Place a web application firewall rule in front of the Frappe instance that blocks requests to Dashboard Chart endpoints containing SQL meta-characters in chart parameters.
- Disable Dashboard Chart functionality entirely if it is not required for business operations.
# Upgrade Frappe using bench to a patched release
bench switch-to-branch version-15 frappe --upgrade
bench update --reset
bench version | grep frappe
# Confirm output shows frappe 15.74.2 or later (or 14.96.15 for 14.x)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
