SQL Injection Vulnerability in Frappe ERPNext by Frappe
CVE-2025-52041

8.2HIGH

Key Information:

Vendor

Frappe

Status
ERPNext
Vendor
CVE Published:
1 October 2025

What is CVE-2025-52041?

In Frappe ERPNext version 15.57.5, a critical SQL Injection vulnerability exists in the function get_stock_balance_for() located at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py. This flaw allows an attacker to manipulate the inventory_dimensions_dict parameter to execute arbitrary SQL commands. As a result, unauthorized users can gain access to sensitive information from the database, potentially leading to data breaches and privacy violations.

References

https://github.com/Vietsunshine-Electronic-Solution-JSC/V...
https://github.com/frappe/erpnext/pull/49192/commits/eb22...

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-52041 : SQL Injection Vulnerability in Frappe ERPNext by Frappe