Executive Summary

Informations
Name CVE-2025-52898 First vendor Publication 2025-06-30
Vendor Cve Last vendor Modification 2025-06-30

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52898

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

Sources (Detail)

https://github.com/frappe/frappe/commit/52e31337a6c964189c8b883a2f7bc3a28ab374f2
https://github.com/frappe/frappe/commit/5b4849b1ab5fd796b306312745b4e202b0e90d66
https://github.com/frappe/frappe/pull/31522
https://github.com/frappe/frappe/security/advisories/GHSA-p284-r7rh-wq7j
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2025-07-02 02:36:48
  • Multiple Updates
2025-07-02 02:36:43
  • Multiple Updates
2025-07-01 17:20:51
  • Multiple Updates
2025-07-01 00:20:35
  • First insertion