CVE-2025-52039
📋 TL;DR
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the txt parameter in the get_material_requests_based_on_supplier() function. This can lead to complete database compromise, exposing sensitive business data. All organizations running vulnerable versions of ERPNext are affected.
💻 Affected Systems
- Frappe ERPNext
📦 What is this software?
Erpnext by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing extraction of all sensitive data including financial records, customer information, employee data, and business secrets, potentially leading to data destruction or ransomware deployment.
Likely Case
Unauthorized data extraction from the ERPNext database, potentially exposing sensitive business information, customer data, and financial records.
If Mitigated
Limited data exposure if proper input validation and parameterized queries are implemented, with database permissions restricting access to sensitive tables.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. While no public PoC exists, the vulnerability description provides sufficient detail for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check commit de919568b4f7a86c8d418c0c3fd88e1f3101696c or later
Vendor Advisory: https://github.com/frappe/erpnext/pull/49192/commits/de919568b4f7a86c8d418c0c3fd88e1f3101696c
Restart Required: Yes
Instructions:
1. Update to the latest ERPNext version containing the fix commit. 2. Apply the specific patch from the GitHub pull request. 3. Restart the ERPNext application server. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for the txt parameter to reject SQL injection patterns
Implement regex filtering: ^[a-zA-Z0-9\s\-_]+$ for the txt parameter
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns in the txt parameter
Configure WAF to block requests containing SQL keywords like UNION, SELECT, INSERT, DELETE in the txt parameter
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the ERPNext application
- Deploy database activity monitoring to detect unusual SQL queries
🔍 How to Verify
Check if Vulnerable:
Test the material request endpoint with SQL injection payloads in the txt parameter and observe if database errors or unexpected data is returned.Check Version:
Check ERPNext version in the admin panel or run: bench versionVerify Fix Applied:
After patching, attempt SQL injection tests and verify they are rejected or properly sanitized without exposing database information.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by material request queries
- Requests with SQL keywords in txt parameter
Network Indicators:
- Unusual database connection patterns from application server
- Large data transfers from database to unexpected sources
SIEM Query:
source="web_logs" AND (txt="*UNION*" OR txt="*SELECT*" OR txt="*INSERT*")