CVE-2025-52042
📋 TL;DR
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the txt parameter in the get_rfq_containing_supplier() function. Successful exploitation enables complete database extraction, potentially exposing sensitive business data. All organizations running vulnerable versions of ERPNext are affected.
💻 Affected Systems
- Frappe ERPNext
📦 What is this software?
Erpnext by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive business data, financial records, customer information, and credentials leading to data breach, financial loss, and regulatory penalties.
Likely Case
Extraction of sensitive business data including supplier information, pricing data, and internal documents, potentially enabling further attacks.
If Mitigated
Limited data exposure if database permissions are restricted, but still significant risk to application data.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint but SQL injection payloads are well-documented and easy to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub commit 7f2a52ff71a1fd5d4a9034cf217094c0be9f341a
Vendor Advisory: https://github.com/frappe/erpnext/pull/49192/commits/7f2a52ff71a1fd5d4a9034cf217094c0be9f341a
Restart Required: Yes
Instructions:
1. Update to patched version of ERPNext 2. Apply the specific commit fixing SQL injection 3. Restart the application server 4. Verify the fix is applied
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the txt parameter before processing
Implement parameterized queries or input sanitization in the vulnerable function
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns
Configure WAF to detect and block SQL injection patterns in request parameters
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user inputs
- Restrict database user permissions to minimum required access
🔍 How to Verify
Check if Vulnerable:
Test the vulnerable endpoint with SQL injection payloads in the txt parameter and monitor for database errors or unexpected responses.Check Version:
Check ERPNext version in admin panel or via bench version commandVerify Fix Applied:
Verify the patched code uses parameterized queries and test with SQL injection payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or parameter manipulation
- Requests with SQL keywords in txt parameter
Network Indicators:
- Unusual database connection patterns
- Large data transfers from database server
SIEM Query:
search 'txt parameter' AND (SELECT OR UNION OR INSERT OR DELETE) in web server logs