Platform
erpnext
Component
frappe/frappe
Fixed in
14.99.7
15.0.1
CVE-2025-68953 describes a Path Traversal vulnerability discovered in the Frappe Framework. This flaw allows attackers to potentially retrieve arbitrary files from the server, compromising data confidentiality. The vulnerability affects versions 14.99.5 and below, as well as versions 15.0.0 through 15.80.1. A fix is available in versions 14.99.6 and 15.88.1.
Successful exploitation of CVE-2025-68953 allows an attacker to bypass intended access controls and read sensitive files from the Frappe Framework server. This could include configuration files containing database credentials, source code, or other confidential data. The impact extends beyond simple information disclosure; an attacker could potentially use the retrieved files to further compromise the system, such as gaining a deeper understanding of the application's architecture or identifying other vulnerabilities. The blast radius depends on the sensitivity of the files accessible via path traversal, potentially impacting the entire application and its users.
CVE-2025-68953 was published on 2026-01-05. Currently, there are no publicly known proof-of-concept exploits. The EPSS score is pending evaluation. While no active exploitation campaigns have been reported, the vulnerability's ease of exploitation makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68953 is to upgrade to Frappe Framework version 14.99.6 or 15.88.1. If immediate upgrading is not feasible, a temporary workaround involves configuring a reverse proxy. This can help to sanitize incoming requests and prevent path traversal attempts. Ensure that the reverse proxy is properly configured to validate and filter user input. Additionally, review and restrict file permissions on the server to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting a path traversal request and verifying that access is denied.
Actualice Frappe a la versión 14.99.6 o superior, o a la versión 15.88.1 o superior. Como alternativa, configure un proxy inverso para mitigar la vulnerabilidad de path traversal. Esto ayudará a sanitizar las solicitudes y prevenir el acceso a archivos arbitrarios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68953 is a Path Traversal vulnerability affecting Frappe Framework versions ≤ 15.0.0 and < 15.88.1, allowing attackers to potentially retrieve arbitrary files from the server.
You are affected if you are using Frappe Framework versions 14.99.5 and below, or versions 15.0.0 through 15.80.1. Upgrade to 14.99.6 or 15.88.1 to mitigate the risk.
Upgrade to Frappe Framework version 14.99.6 or 15.88.1. As a temporary workaround, configure a reverse proxy to sanitize incoming requests.
No active exploitation campaigns have been reported, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Frappe Framework security advisories on their website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.