CVE-2025-52048

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-20

Assigner: MITRE

Description

In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-09-15

Last Modified

2025-09-20

Generated

2026-06-16

AI Q&A

2025-09-15

EPSS Evaluated

2026-06-15

NVD

CVE-2025-52048

EUVD

EUVD-2025-29206

Affected Vendors & Products

Vendor	Product	Version / Range
frappe	frappe	From 14.0.0 (inc) to 14.96.10 (exc)
frappe	frappe	From 15.0.0 (inc) to 15.72.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability is a SQL injection flaw in the Frappe framework versions before 15.72.0 and 14.96.10. It occurs in the add_tag() function where the dt parameter is not properly validated, allowing an attacker to inject malicious SQL queries. This can lead to unauthorized extraction of information from the database. [1]

Impact Analysis

Exploitation of this vulnerability can allow an attacker to retrieve sensitive information from the database without authorization. It has a high severity with a CVSS score of 8.1, impacting confidentiality and integrity of data. The attack can be performed remotely with low complexity and does not require user interaction, potentially exposing sensitive system details and data. [1]

Detection Guidance

Detection can involve monitoring for unusual or suspicious requests to the vulnerable endpoint that uses the 'dt' parameter in the add_tag() function. Since the vulnerability is an error-based SQL injection, sending crafted payloads to the endpoint and observing error messages or unexpected responses can help identify the issue. Specific commands are not provided in the resources, but typical approaches include using tools like curl or sqlmap targeting the vulnerable parameter to test for SQL injection. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the frappe package to version 15.72.0 or 14.96.10 or later, as there are no available workarounds. This upgrade addresses the SQL injection vulnerability by properly validating parameters. [1]

Hi! I’m here to help you understand CVE-2025-52048. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-52048

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart