CVE-2025-52049
📋 TL;DR
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the timelog parameter, potentially extracting all database information. It affects organizations using vulnerable versions of ERPNext for project management and timesheet tracking. The vulnerability requires authenticated access but can lead to complete database compromise.
💻 Affected Systems
- Frappe ERPNext
📦 What is this software?
Erpnext by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database exfiltration including sensitive business data, user credentials, financial records, and PII, potentially leading to data breach, compliance violations, and business disruption.
Likely Case
Extraction of timesheet and project data, potentially exposing employee work records, billing information, and internal project details.
If Mitigated
Limited impact with proper input validation and database permissions restricting query execution scope.
🎯 Exploit Status
Requires authenticated access to the timesheet functionality. SQL injection is through the timelog parameter in get_timesheet_detail_rate() function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit e563ed0c75fd20135a6ad288e957e75eac7d3b8d
Vendor Advisory: https://github.com/frappe/erpnext/pull/49192/commits/e563ed0c75fd20135a6ad288e957e75eac7d3b8d
Restart Required: No
Instructions:
1. Update to latest ERPNext version or apply the specific commit. 2. For v15.57.5, manually patch erpnext/projects/doctype/timesheet/timesheet.py with the fix from the GitHub commit. 3. Verify the fix by checking that SQL queries are properly parameterized.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject suspicious timelog parameter values containing SQL keywords
# In timesheet.py, add validation before processing timelog parameter
# Example: if any(sql_keyword in timelog.lower() for sql_keyword in ['select', 'union', 'insert', 'delete', 'update', 'drop']): raise ValidationError
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns in timelog parameter requests
- Restrict database user permissions to read-only for timesheet functionality and implement principle of least privilege
🔍 How to Verify
Check if Vulnerable:
Check if your ERPNext version is v15.57.5 or earlier and review the timesheet.py file for vulnerable get_timesheet_detail_rate() function without proper parameterization.Check Version:
bench version or check erpnext/__init__.py for version informationVerify Fix Applied:
Verify that the timesheet.py file uses parameterized queries (like frappe.db.sql with ? placeholders) instead of string concatenation for SQL queries.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs from timesheet functionality
- Multiple failed login attempts followed by timesheet API calls
- Large data extraction patterns from timesheet-related tables
Network Indicators:
- Unusually large responses from timesheet API endpoints
- Patterns of SQL keywords in timelog parameter values
SIEM Query:
source="erpnext_logs" AND (message="*timesheet*" AND message="*sql*" OR message="*timelog*" AND (message="*select*" OR message="*union*" OR message="*from*"))