Cyber Resilience

CVE-2025-30213

Medium

Published: 25 March 2025

Published
25 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0083 75.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30213 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Frappe Frappe. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Frappe is a full-stack web application framework that was vulnerable prior to versions 14.91.0 and 15.52.0. The flaw, tracked as CVE-2025-30213, stems from improper input validation (CWE-20) that permits a system user to create certain documents in a manner that results in remote code execution on the server.

An authenticated attacker with low privileges can reach the affected component over the network and leverage the issue to execute arbitrary code, yielding full control over confidentiality, integrity, and availability of the application without user interaction.

The referenced GitHub Security Advisory states there is no workaround and explicitly requires an upgrade to the patched releases 14.91.0 or 15.52.0.

EPSS for the CVE rose from a low baseline to a peak of 0.0265 on 2026-05-03 before receding to the current value of 0.0083, indicating a measurable increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Frappe is a full-stack web application framework. Prior to versions 14.91.0 and 15.52.0, a system user was able to create certain documents in a specific way that could lead to remote code execution. Versions 14.9.1 and 15.52.0 contain a patch…

more

for the vulnerability. There's no workaround; an upgrade is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a remote code execution vulnerability in a web application framework exploitable by an authenticated low-privilege user over the network, directly enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068) to achieve full system control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35614Same product: Frappe Frappe
CVE-2025-30212Same product: Frappe Frappe
CVE-2026-29077Same product: Frappe Frappe
CVE-2026-39351Same product: Frappe Frappe
CVE-2025-68929Same product: Frappe Frappe
CVE-2025-30214Same product: Frappe Frappe
CVE-2026-28436Same product: Frappe Frappe
CVE-2025-30217Same product: Frappe Frappe
CVE-2026-31877Same product: Frappe Frappe
CVE-2026-29081Same product: Frappe Frappe

Affected Assets

frappe
frappe
≤ 14.91.0 · 15.0.0 — 15.52.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the specific RCE flaw in Frappe versions prior to 14.9.1 and 15.52.0, as no workaround exists and upgrade is mandated.

prevent

Directly addresses the CWE-20 improper input validation that allows authenticated system users to create specially crafted documents leading to RCE.

preventdetect

Verifies software and information integrity to prevent or detect unauthorized code execution resulting from the exploited input validation vulnerability.

References