Primary

Context

Frappe Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

Patched

A path traversal vulnerability has been identified in the Frappe web application framework, affecting versions prior to 15.86.0 and 14.99.2. This vulnerability allows certain requests to retrieve files from the server if the full file path is known. The issue primarily impacts users running Frappe with Werkzeug and Gunicorn, while those on Frappe Cloud or behind a reverse proxy like NGINX are unaffected.

Impact

Exploitation of this vulnerability allows for arbitrary file read on the server, with the potential to access sensitive information.

Remediation

Users can upgrade to Frappe versions 15.86.0 or 14.99.2 to address this vulnerability. For those directly using Werkzeug and Gunicorn, it is also recommended to change the setup to use a reverse proxy.

Added: Dec 1, 2025, 9:20 PM

Updated: Dec 1, 2025, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

7.6

remediation

7.9

relevance

1.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

7.6

remediation

7.9

relevance

1.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

Impact

Remediation

Affected Products

Frappe

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating