CVE-2025-65924 – ERPNext versions through 15.88.1 fail to saniti... (How to Fix)

Q: What is the severity of CVE-2025-65924?

CVE-2025-65924 has a CVSS score of 3.5 (LOW). ERPNext versions through 15.88.1 fail to sanitize HTML <a> tags in plain text fields, allowing attackers to inject clickable links into generated PDF documents. Since users trust ERP-generated PDFs, they're likely to click malicious links enabling phishing or malware delivery. This affects all ERPNext users who generate PDFs from the 'Add Quality Goal' function.

📋 TL;DR

ERPNext versions through 15.88.1 fail to sanitize HTML <a> tags in plain text fields, allowing attackers to inject clickable links into generated PDF documents. Since users trust ERP-generated PDFs, they're likely to click malicious links enabling phishing or malware delivery. This affects all ERPNext users who generate PDFs from the 'Add Quality Goal' function.

💻 Affected Systems

Products:

ERPNext

Versions: through 15.88.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the 'Add Quality Goal' function specifically. Other functions may also be affected but not confirmed.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users click malicious links in trusted PDFs, leading to credential theft, malware installation, or lateral movement within the organization.

🟠

Likely Case

Targeted phishing attacks where attackers embed malicious links in legitimate-looking ERP documents to steal credentials or deliver malware.

🟢

If Mitigated

Users are trained to verify links before clicking, reducing successful phishing attempts despite malicious links in PDFs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create/modify quality goals. Attack complexity is low once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.88.2 or later

Vendor Advisory: https://github.com/frappe/frappe_docker.git

Restart Required: No

Instructions:

1. Update ERPNext to version 15.88.2 or later. 2. Verify the update completed successfully. 3. Test PDF generation from quality goals.

🔧 Temporary Workarounds

Disable PDF generation for quality goals

all

Temporarily disable PDF export functionality for the affected 'Add Quality Goal' feature

Implement output sanitization

all

Add custom sanitization to strip HTML tags from plain text fields before PDF generation

🧯 If You Can't Patch

Restrict user permissions to only trusted personnel for creating/modifying quality goals
Implement PDF link scanning before distribution to detect malicious URLs

🔍 How to Verify

Check if Vulnerable:

Test by creating a quality goal with <a> tags in plain text fields and checking if links appear in generated PDF

Check Version:

Check ERPNext version in admin panel or via bench version command

Verify Fix Applied:

After patching, repeat the test - HTML tags should be stripped or escaped in PDF output

📡 Detection & Monitoring

Log Indicators:

Unusual quality goal creation/modification patterns
Multiple PDF generation requests from single user

Network Indicators:

Outbound connections to suspicious domains from users who recently opened ERP PDFs

SIEM Query:

source="erpnext" AND (event="quality_goal_creation" OR event="pdf_generation") | stats count by user

📊 Metadata

CVE ID: CVE-2025-65924

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-80

Published: February 3, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/frappe/frappe_docker.git

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65924, you might also want to check these: