CVE-2025-52041
📋 TL;DR
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the inventory_dimensions_dict parameter, potentially extracting all database information. It affects organizations using vulnerable versions of ERPNext for inventory management. The vulnerability requires authenticated access but can lead to complete database compromise.
💻 Affected Systems
- Frappe ERPNext
📦 What is this software?
Erpnext by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database exfiltration including sensitive business data, customer information, financial records, and credentials, potentially leading to data breach, regulatory penalties, and business disruption.
Likely Case
Extraction of inventory data, product information, and potentially other business data accessible through the stock reconciliation module.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricting access to sensitive tables.
🎯 Exploit Status
SQL injection is well-understood with many available tools. The vulnerability is documented with technical details in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit eb22794f14351c2ff5731548c48bef0b91765c86
Vendor Advisory: https://github.com/frappe/erpnext/pull/49192/commits/eb22794f14351c2ff5731548c48bef0b91765c86
Restart Required: Yes
Instructions:
1. Update to the latest ERPNext version containing the fix. 2. Apply the specific commit if using source installation. 3. Restart the ERPNext application server. 4. Verify the fix by testing the stock reconciliation functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize the inventory_dimensions_dict parameter before processing.
# Python example: Validate parameter contains only expected keys/values
import re
if not re.match(r'^[a-zA-Z0-9_,=]*$', inventory_dimensions_dict):
raise ValueError('Invalid parameter format')
Database Permission Restriction
allLimit database user permissions to read-only for the application account accessing stock tables.
-- SQL command to restrict permissions
REVOKE ALL PRIVILEGES ON *.* FROM 'erpnext_user'@'localhost';
GRANT SELECT ON erpnext_db.* TO 'erpnext_user'@'localhost';
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns in the inventory_dimensions_dict parameter
- Disable or restrict access to the stock reconciliation module for non-essential users
🔍 How to Verify
Check if Vulnerable:
Check if your ERPNext version is 15.57.5 or earlier and review the stock_reconciliation.py file for the vulnerable get_stock_balance_for() function.Check Version:
bench versionVerify Fix Applied:
Verify the commit hash includes eb22794f14351c2ff5731548c48bef0b91765c86 and test the stock reconciliation functionality with malformed input.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs from the ERPNext application user
- Multiple failed or unusual requests to /api/method/erpnext.stock.doctype.stock_reconciliation.stock_reconciliation.get_stock_balance_for
Network Indicators:
- HTTP POST requests with SQL-like patterns in the inventory_dimensions_dict parameter
- Unusually large database response sizes from stock reconciliation endpoints
SIEM Query:
source="web_logs" AND uri="/api/method/erpnext.stock.doctype.stock_reconciliation.stock_reconciliation.get_stock_balance_for" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*1=1*")