Low severityOSV Advisory· Published Sep 18, 2025· Updated Apr 15, 2026
CVE-2025-59421
CVE-2025-59421
Description
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed in commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615.
Affected products
1Patches
183c3fc7676c5fix(invite-member): rate limit and disallow duplicate invite for a day
1 file changed · +13 −0
press/press/doctype/team/team.py+13 −0 modified@@ -10,6 +10,7 @@ from frappe.contacts.address_and_contact import load_address_and_contact from frappe.core.utils import find from frappe.model.document import Document +from frappe.rate_limiter import rate_limit from frappe.utils import get_fullname, get_url_to_form, random_string from press.api.client import dashboard_whitelist @@ -831,6 +832,7 @@ def get_team_members(self): return get_team_members(self.name) @dashboard_whitelist() + @rate_limit(limit=10, seconds=60 * 60) def invite_team_member(self, email, roles=None): PressRole = frappe.qb.DocType("Press Role") PressRoleUser = frappe.qb.DocType("Press Role User") @@ -852,6 +854,17 @@ def invite_team_member(self, email, roles=None): if frappe.db.exists("Team Member", {"user": email, "parent": self.name, "parenttype": "Team"}): frappe.throw(_("Team member already exists")) + if frappe.db.exists( + "Account Request", + { + "email": email, + "team": self.name, + "invited_by": ("is", "set"), + "creation": (">", frappe.utils.add_days(None, -1)), + }, + ): + frappe.throw("User has already been invited recently. Please try again later.") + account_request = frappe.get_doc( { "doctype": "Account Request",
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.