CVE-2025-30212
Published: 25 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30212 is an SQL injection vulnerability (CWE-89) in the Frappe Framework, a full-stack web application framework. It affects versions prior to 14.89.0 and 15.51.0, potentially allowing malicious actors to access sensitive information. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction. Successful exploitation enables extraction of sensitive data from the underlying database, though it does not impact integrity or availability.
The Frappe security advisory (GHSA-3hj6-r5c9-q8f3) and associated GitHub commits (27f13437db161a173137d91cd07d0f9287d7c556 and 2ebd88520ecfa9bb7d3392b7de8c8f94a86ec05c) confirm that versions 14.89.0 and 15.51.0 address the issue. Mitigation requires upgrading to one of these patched versions, as no workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing Frappe web app framework enables remote unauthenticated extraction of database data, directly mapping to exploitation of public-facing applications.