Miggo Logo

CVE-2025-30212: Frappe has possibility of SQL injection due to improper validations

6.6

CVSS Score
4.0

Basic Information

EPSS Score
0.14058%
Published
3/25/2025
Updated
3/25/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
frappepip
frappepip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stems from the build_filter_conditions method in db_query.py. The patch shows that raw string filters were previously appended directly to SQL conditions (conditions.append(f)), which is unsafe. The fix introduced sanitize_column(f) to validate/escape column names. This matches the CWE-89 (SQL Injection) description, as improper neutralization of user input in SQL commands was the root cause. Other changes (e.g., HTML sanitization in setup_wizard) are unrelated to SQL injection mitigation. The db_query.py change is the most direct and conclusive fix for the described vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n SQL Inj**tion vuln*r**ility **s ***n i**nti*i** in *r*pp* *r*m*work w*i** *oul* *llow * m*li*ious **tor to ****ss s*nsitiv* in*orm*tion. ### Work*roun*s Up*r**in* is r*quir**, no ot**r work*roun* is pr*s*nt. ### *r**its T**nks to T**

Reasoning

T** k*y vuln*r**ility st*ms *rom t** *uil*_*ilt*r_*on*itions m*t*o* in **_qu*ry.py. T** p*t** s*ows t**t r*w strin* *ilt*rs w*r* pr*viously *pp*n*** *ir**tly to SQL *on*itions (*on*itions.*pp*n*(*)), w*i** is uns***. T** *ix intro*u*** s*nitiz*_*olum