Cyber Resilience

CVE-2025-68953

High

Published: 05 January 2026

Published
05 January 2026
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 19.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68953 is a high-severity Path Traversal (CWE-22) vulnerability in Frappe Frappe. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68953 is a path traversal vulnerability (CWE-22) affecting the Frappe full-stack web application framework. Versions 14.99.5 and below, as well as 15.0.0 through 15.80.1, contain requests lacking proper sanitization, enabling attackers to retrieve arbitrary files from the server. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no requirements for authentication or user interaction.

Remote attackers without privileges can exploit this issue over the network with low complexity by crafting malicious requests that traverse directory paths. Successful exploitation allows reading sensitive arbitrary files on the server, potentially exposing configuration data, source code, or other critical information, though it does not enable modification or execution of code.

The vulnerability is fixed in Frappe versions 14.99.6 and 15.88.1, as detailed in GitHub commits 3867fb112c3f7be1a863e40f19e9235719f784fb and 959efd6a498cfaeaf7d4e0ab6cca78c36192d34d, and the security advisory GHSA-xj39-3g4p-f46v. As a workaround, administrators are advised to configure a reverse proxy in front of the application.

EU & UK References

Vulnerability details

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on…

more

some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path traversal enables direct arbitrary file reads (T1005) and supports file/directory discovery (T1083) on the local system without auth.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35614Same product: Frappe Frappe
CVE-2025-30212Same product: Frappe Frappe
CVE-2026-29077Same product: Frappe Frappe
CVE-2025-68929Same product: Frappe Frappe
CVE-2025-30214Same product: Frappe Frappe
CVE-2026-28436Same product: Frappe Frappe
CVE-2025-30217Same product: Frappe Frappe
CVE-2026-39351Same product: Frappe Frappe
CVE-2025-30213Same product: Frappe Frappe
CVE-2026-31877Same product: Frappe Frappe

Affected Assets

frappe
frappe
≤ 14.99.6 · 15.0.0 — 15.88.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the lack of proper input sanitization in Frappe requests that enables path traversal attacks by enforcing validation mechanisms at input points.

prevent

SI-2 mitigates the vulnerability by requiring timely identification, reporting, and correction of the path traversal flaw through patching to fixed versions 14.99.6 or 15.88.1.

preventdetect

SC-7 provides boundary protection via reverse proxies or WAFs that can monitor and block malicious path traversal requests as a recommended workaround.

References