CVE-2025-59421 - Vulnerability Details

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Frappe	Frappe Press

No data.

References

Link	Providers
https://github.com/frappe/press/commit/83c3fc7676c5dbbe1fd5092d21d95a10c7b48615
https://github.com/frappe/press/security/advisories/GHSA-68qm-vp8f-rpr3

History

Fri, 19 Sep 2025 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Frappe Frappe frappe Frappe press
Vendors & Products		Frappe Frappe frappe Frappe press

Thu, 18 Sep 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615.
Title		Press vulnerable to email flooding to users due to lack of validation and rate limits
Weaknesses		CWE-770
References		https://github.com/frappe/press/commit/83c3fc7676c5dbbe1fd5092d21d95a10c7b48615 https://github.com/frappe/press/security/advisories/GHSA-68qm-vp8f-rpr3
Metrics		cvssV4_0 `{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-09-18T14:42:40.662Z

Updated: 2025-09-18T14:42:40.662Z

Reserved: 2025-09-15T19:13:16.904Z

Link: CVE-2025-59421

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-09-18T15:15:38.743

Modified: 2025-09-18T15:15:38.743

Link: CVE-2025-59421

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object