Auth bypass in Frappe Press

CVE-2025-53545

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Users can circumvent 2FA login for users due to a lack of server side validation for the same. This vul…

Vulnerability class: Broken Authentication

EPSS: 0.003 (55.6th percentile) — read the EPSS interpretation.

Affected products

Frappe Press — versions < ddb439f8eb1816010f2ef653a908648b71f9bba8

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/frappe/press/security/advisories/GHSA-fwfh-vhjg-45q4 (x_refsource_CONFIRM)
https://github.com/frappe/press/commit/ddb439f8eb1816010f2ef653a908648b71f9bba8 (x_refsource_MISC)