CVE-2026-55852 in Frappeinfo

Summary

by MITRE • 07/10/2026

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/11/2026

The Frappe web application framework suffers from a critical remote code execution vulnerability known as TarSlip that affects versions prior to 16.23.0 and 15.112.0. This vulnerability exists within the package import functionality where tar archive files are processed without adequate validation of their contents before extraction occurs. The flaw stems from insufficient sanitization of tarfile members, allowing maliciously crafted archives to exploit the system during the extraction process.

The technical nature of this vulnerability aligns with CWE-502 which describes unsafe deserialization of untrusted data, and specifically relates to improper handling of archive files containing malicious path traversal sequences. When the framework processes package imports, it accepts tar archives that may contain members with absolute paths or directory traversal sequences such as ../../etc/passwd or ../../../windows/system32/cmd.exe. These malicious entries can cause the extraction process to write files outside of the intended target directories, potentially leading to arbitrary code execution on the server hosting the Frappe application.

The operational impact of this vulnerability is severe and directly maps to several tactics in the MITRE ATT&CK framework including T1059 for command and script injection, T1203 for exploitation for privilege escalation, and T1083 for file and directory discovery. An attacker could leverage this vulnerability to execute arbitrary commands on the target system with the privileges of the Frappe application process, potentially leading to complete system compromise.

The remediation involves updating to versions 16.23.0 or 15.112.0 where proper validation has been implemented for tarfile members during package import operations. Security practitioners should implement additional mitigations including restricting network access to package import endpoints, implementing strict file type validation, and monitoring for suspicious extraction activities. Organizations using older versions should immediately disable package import functionality until the upgrade can be completed, as this vulnerability provides a direct path to remote system compromise without requiring authentication or specialized exploitation techniques.

This vulnerability demonstrates the critical importance of proper input validation in archive handling operations and highlights how seemingly benign functionality like package imports can become attack vectors when proper security controls are not implemented. The fix addresses the root cause by implementing comprehensive checks on tarfile member paths, ensuring that all extracted files remain within the intended extraction directory and preventing path traversal attacks that could lead to arbitrary code execution.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!