CVE-2025-68953
Published: 05 January 2026
Summary
CVE-2025-68953 is a high-severity Path Traversal (CWE-22) vulnerability in Frappe Frappe. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68953 is a path traversal vulnerability (CWE-22) affecting the Frappe full-stack web application framework. Versions 14.99.5 and below, as well as 15.0.0 through 15.80.1, contain requests lacking proper sanitization, enabling attackers to retrieve arbitrary files from the server. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no requirements for authentication or user interaction.
Remote attackers without privileges can exploit this issue over the network with low complexity by crafting malicious requests that traverse directory paths. Successful exploitation allows reading sensitive arbitrary files on the server, potentially exposing configuration data, source code, or other critical information, though it does not enable modification or execution of code.
The vulnerability is fixed in Frappe versions 14.99.6 and 15.88.1, as detailed in GitHub commits 3867fb112c3f7be1a863e40f19e9235719f784fb and 959efd6a498cfaeaf7d4e0ab6cca78c36192d34d, and the security advisory GHSA-xj39-3g4p-f46v. As a workaround, administrators are advised to configure a reverse proxy in front of the application.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206230
Vulnerability details
Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on…
more
some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary file reads (T1005) and supports file/directory discovery (T1083) on the local system without auth.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the lack of proper input sanitization in Frappe requests that enables path traversal attacks by enforcing validation mechanisms at input points.
SI-2 mitigates the vulnerability by requiring timely identification, reporting, and correction of the path traversal flaw through patching to fixed versions 14.99.6 or 15.88.1.
SC-7 provides boundary protection via reverse proxies or WAFs that can monitor and block malicious path traversal requests as a recommended workaround.