CVE-2025-67289
Published: 22 December 2025
Summary
CVE-2025-67289 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Frappe Erpnext. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents exploitation by validating the format, type, and content of uploaded files in the Attachments module to block crafted XML enabling arbitrary code execution.
Restricts uploads to safe file types and attributes in the Frappe Framework Attachments module, mitigating unrestricted upload of dangerous XML files.
Remediates the specific flaw in Frappe Framework v15.89.0 through timely patching, eliminating the arbitrary file upload vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in a public-facing web application (Frappe Framework/ERPNext) enables unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.
NVD Description
An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.
Deeper analysisAI
CVE-2025-67289 is an arbitrary file upload vulnerability in the Attachments module of Frappe Framework version 15.89.0. Published on 2025-12-22T18:16:16.947, it enables attackers to execute arbitrary code by uploading a crafted XML file. The vulnerability is associated with CWE-79 (Cross-site Scripting) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
The vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity, though it requires user interaction. Successful exploitation allows attackers to achieve high-impact confidentiality, integrity, and availability effects with a change in scope, potentially leading to full arbitrary code execution on the affected system.
Mitigation details are available in advisories and resources at http://erpnext.com, http://frappe.com, and https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md. Security practitioners should consult these references for patch information and remediation steps specific to Frappe Framework deployments.
Details
- CWE(s)