CVE-2025-66439
📋 TL;DR
This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries through the from_posting_date parameter. It enables database information extraction, potentially exposing sensitive business data. All organizations running vulnerable ERPNext versions are affected.
💻 Affected Systems
- Frappe ERPNext
📦 What is this software?
Erpnext by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to theft of all business data, financial records, customer information, and potential lateral movement to other systems.
Likely Case
Extraction of sensitive business data including financial transactions, customer records, and operational information, potentially leading to data breach and regulatory violations.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only exposing non-sensitive data or being blocked by WAF rules.
🎯 Exploit Status
SQL injection is well-understood and public technical details are available. Exploitation requires access to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.90.0 or later
Vendor Advisory: https://github.com/frappe/frappe/security
Restart Required: Yes
Instructions:
1. Update Frappe ERPNext to version 15.90.0 or later. 2. Apply the patch that replaces string interpolation with parameterized queries. 3. Restart the application server. 4. Verify the fix by checking the updated code in payment_entry.py.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the from_posting_date parameter before processing
# Add validation in the application code to ensure date format compliance
# Implement regex pattern matching for valid date formats
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
# Configure WAF to detect and block SQL injection attempts
# Set up rules for common SQLi patterns in POST parameters
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all date parameters
- Restrict database user permissions to minimum required privileges
🔍 How to Verify
Check if Vulnerable:
Check if ERPNext version is 15.89.0 or earlier. Review the payment_entry.py file for direct string interpolation in get_outstanding_reference_documents() function.Check Version:
bench versionVerify Fix Applied:
Verify ERPNext version is 15.90.0 or later. Check that the vulnerable function now uses parameterized queries instead of string interpolation.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by payment entry requests
- Requests with malformed date parameters containing SQL keywords
Network Indicators:
- HTTP requests to payment entry endpoints with SQL injection patterns in parameters
- Unusual database query patterns from application server
SIEM Query:
source="web_server" AND (uri="/api/method/erpnext.accounts.doctype.payment_entry.payment_entry.get_outstanding_reference_documents" AND (param="from_posting_date" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--"))