CVE-2025-56380
📋 TL;DR
This SQL injection vulnerability in Frappe Framework allows attackers to execute arbitrary SQL commands through the fieldname parameter in the frappe.client.get_value API endpoint. Attackers can potentially read, modify, or delete database content. All systems running vulnerable Frappe Framework versions with the affected API endpoint exposed are at risk.
💻 Affected Systems
- Frappe Framework
📦 What is this software?
Erpnext by Frappe
Frappe by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access and extraction from the Frappe database, potentially exposing sensitive business data, user information, or configuration details.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection execution.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Exploitation requires access to the API endpoint but may not require authentication depending on application configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v15.72.5 or later (check Frappe Framework releases)
Vendor Advisory: https://github.com/frappe/frappe/security/advisories
Restart Required: Yes
Instructions:
1. Update Frappe Framework to latest patched version
2. Run bench update command
3. Restart all bench processes
4. Verify the fix by testing the vulnerable endpoint
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for fieldname parameter to only allow expected values
# In your custom code, validate fieldname before passing to get_value
# Example: if fieldname not in allowed_fields: raise Exception
API Endpoint Restriction
linuxRestrict access to frappe.client.get_value endpoint using web server rules or application-level authentication
# Nginx example: location ~ /api/method/frappe.client.get_value { deny all; }
# Or implement additional authentication middleware
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) with SQL injection protection rules
- Disable or restrict access to the frappe.client.get_value API endpoint entirely
🔍 How to Verify
Check if Vulnerable:
Test the frappe.client.get_value endpoint with SQL injection payloads in fieldname parameter and observe if database errors or unexpected data is returned.Check Version:
bench version or check frappe/__init__.py for version numberVerify Fix Applied:
After patching, attempt the same SQL injection tests and verify they are properly rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed API calls to frappe.client.get_value
- Database error messages containing SQL syntax
Network Indicators:
- Unusual patterns of requests to /api/method/frappe.client.get_value
- Requests containing SQL keywords in parameters
SIEM Query:
source="web_logs" AND uri="/api/method/frappe.client.get_value" AND (param="fieldname" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--")