External risk intelligence

Frappe Framework Arbitrary File Upload Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2025-67289

Frappe Framework and ERPNext are commonly deployed as internet-facing web applications and enterprise portals. The vulnerability exists in the Attachments module, a core component of these web interfaces, making it reachable in typical web-based deployment scenarios.

Cross-site Scripting

Frappe Erpnext

15.89.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An arbitrary file upload vulnerability has been identified in the Attachments module of Frappe Framework. This issue could allow attackers to execute code by uploading malicious files. The main concern is confirming relevance and exposure to our specific environment.

  • Upload flaws allow malicious code execution.
  • Important if we use Frappe Framework or ERPNext.
  • Confirm relevance and exposure to our environment.

Attack Path

How an attacker could exploit the issue

An attacker could begin by interacting with a web application that uses the Frappe Framework. If the application has the Attachments module enabled, an attacker could upload a specially crafted XML file. This action could lead to the execution of arbitrary code on the server, with potentially significant consequences.

  • No authentication required.
  • Uploading a crafted XML file.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

An arbitrary file upload vulnerability in the Attachments module of Frappe Framework could allow unauthenticated attackers to execute arbitrary code by uploading a crafted XML file. This could affect system data, service behavior, and potentially sensitive information when exposed through the application.

  • System data and service behavior.
  • Uploading a crafted XML file.
  • Arbitrary code execution is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Frappe Framework and ERPNext are frequently deployed as internet-facing web applications, indicating that platform or application owners should lead the response to this vulnerability. The initial step involves identifying all instances of the affected technology, determining their exposure and criticality, and then assigning an accountable owner to plan remediation based on risk.

  • Identify affected systems and owners.
  • Verify exposure and business impact.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Frappe Framework and what do people use it for?

Frappe Framework is a full-stack, open-source web application framework written in Python and JavaScript. It serves as the foundational architecture for enterprise applications, most notably ERPNext. Developers use it to build data-driven business software because it handles common tasks like database management, form generation, and role-based access control, allowing users to focus on custom business logic and workflows.

How does CVE-2025-67289 relate to arbitrary file uploads?

This vulnerability falls under the Unrestricted Upload of File with Dangerous Type weakness (CWE-434). In plain terms, the application's file attachment handler does not sufficiently validate the content of uploaded files. Because the system fails to verify that the file is safe, it allows a user to provide a specially crafted XML file that the server processes as executable code rather than a simple data document.

Do I need to be logged into the system to trigger this vulnerability?

No, this vulnerability does not require an attacker to have a valid user account or prior authentication to initiate the request. The trigger occurs simply by interacting with the Attachments module via a network request. It is important to note that uploading standard, non-malicious files used for normal business operations does not trigger this flaw; the issue specifically requires the upload of a malicious XML file designed to manipulate the server's execution process.

Why should I be concerned if my instance is internet-facing?

Halo Surface Signal indicates that Frappe Framework and ERPNext are frequently deployed as public-facing web portals. Because the vulnerable Attachments module is a core component accessible through these web interfaces, any instance reachable from the internet is significantly more likely to be targeted. If your application is exposed to the public, external attackers have a direct path to reach the affected module without needing to bypass internal network defenses.

When should I take action to address this threat?

You should prioritize this immediately by creating an inventory of all systems running Frappe Framework or ERPNext. Once you have located these instances, verify which ones are exposed to the internet, as these represent the highest risk. Assign a clear owner to each system to evaluate the business impact and coordinate with your technical team to apply the necessary security updates or configuration changes as soon as they become available.

References