Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users.
Metrics
Affected Vendors & Products
References
History
Tue, 08 Jul 2025 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Frappe
Frappe frappe |
|
CPEs | cpe:2.3:a:frappe:frappe:*:*:*:*:*:*:*:* | |
Vendors & Products |
Frappe
Frappe frappe |
|
Metrics |
cvssV3_1
|
Mon, 30 Jun 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 30 Jun 2025 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users. | |
Title | Frappe account takeover via password reset token leakage | |
Weaknesses | CWE-200 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-06-30T17:19:31.543Z
Updated: 2025-06-30T18:01:16.717Z
Reserved: 2025-06-20T17:42:25.710Z
Link: CVE-2025-52898

Updated: 2025-06-30T18:01:10.878Z

Status : Analyzed
Published: 2025-06-30T18:15:25.773
Modified: 2025-07-08T14:43:50.023
Link: CVE-2025-52898

No data.