CVE-2025-67289

CriticalPublic PoC

Published: 22 December 2025

Published

22 December 2025

Modified

02 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents exploitation by validating the format, type, and content of uploaded files in the Attachments module to block crafted XML enabling arbitrary code execution.

SI-9 Information Input Restrictions good match

prevent

Restricts uploads to safe file types and attributes in the Frappe Framework Attachments module, mitigating unrestricted upload of dangerous XML files.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in Frappe Framework v15.89.0 through timely patching, eliminating the arbitrary file upload vulnerability.

Security SummaryAI

CVE-2025-67289 is an arbitrary file upload vulnerability in the Attachments module of Frappe Framework version 15.89.0. Published on 2025-12-22T18:16:16.947, it enables attackers to execute arbitrary code by uploading a crafted XML file. The vulnerability is associated with CWE-79 (Cross-site Scripting) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

The vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity, though it requires user interaction. Successful exploitation allows attackers to achieve high-impact confidentiality, integrity, and availability effects with a change in scope, potentially leading to full arbitrary code execution on the affected system.

Mitigation details are available in advisories and resources at http://erpnext.com, http://frappe.com, and https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md. Security practitioners should consult these references for patch information and remediation steps specific to Frappe Framework deployments.

Details

CWE(s): CWE-79 CWE-434

Affected Products

frappe

erpnext

15.89.0

frappe

15.89.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability in a public-facing web application (Frappe Framework/ERPNext) enables unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://erpnext.com
Product · cve@mitre.org
http://frappe.com
Broken Link · cve@mitre.org
https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md
Exploit, Third Party Advisory · cve@mitre.org