CVE-2025-52044
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | 15.57.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL Injection in the get_stock_balance() function of Frappe ERPNext v15.57.5. It occurs because the function uses unsanitized input from the inventory_dimensions_dict parameter directly in SQL queries. An attacker can exploit this by injecting malicious SQL code, allowing them to extract all information from the database. [1]
How can this vulnerability impact me? :
The vulnerability can allow an attacker to extract all information from the database, potentially exposing sensitive business data, customer information, and other confidential records stored in the ERP system. This can lead to data breaches, loss of data integrity, and unauthorized access to critical business information. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards like GDPR and HIPAA because it risks unauthorized access and extraction of sensitive personal and protected health information stored in the database. Such data breaches can lead to violations of data protection regulations, resulting in legal penalties and loss of trust. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Frappe ERPNext installation to a version that includes the fix for CVE-2025-52044. The fix involves replacing raw SQL queries with a query builder and implementing input sanitization, especially sanitizing the inventory_dimensions_dict parameter in the get_stock_balance() function. Applying the patch or upgrading to a version that includes these changes will prevent SQL injection attacks by ensuring safe query construction and input handling. [1]