CVE-2025-30214
Published: 25 March 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-30214 is an information disclosure vulnerability in Frappe, a full-stack web application framework. In versions prior to 14.89.0 and 15.51.0, attackers can send crafted requests to expose sensitive information, potentially enabling account takeover. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-287 (Improper Authentication).
Remote, unauthenticated attackers with network access can exploit the vulnerability with low attack complexity and no user interaction. Exploitation yields high confidentiality impact through data leakage, which can chain into account takeover by leveraging the disclosed information.
The official Frappe security advisory (GHSA-qrv3-jc3h-f3m6) at https://github.com/frappe/frappe/security/advisories/GHSA-qrv3-jc3h-f3m6 confirms that upgrading to version 14.89.0 or 15.51.0 resolves the issue, with no workaround available short of applying these patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated information disclosure in a public-facing web framework, directly enabling exploitation via T1190 Exploit Public-Facing Application. The sensitive data leakage can facilitate account takeover, mapping to T1078 Valid Accounts.