PT-2025-27461 · Frappe · Frappe
Houssam Drissi
·
Published
2025-06-30
·
Updated
2025-06-30
·
CVE-2025-52898
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Frappe versions prior to 14.94.3
Frappe versions prior to 15.58.0
Description:
A carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This issue can only be exploited on self-hosted instances configured in a certain way. Frappe Cloud users are not affected.
Recommendations:
For self-hosted users, upgrade to version 14.94.3 or later.
For self-hosted users, upgrade to version 15.58.0 or later.
As a temporary workaround, consider verifying password reset URLs before clicking on them.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frappe