SQL Injection Vulnerability in Frappe ERPNext by Frappe Technologies
CVE-2025-52044

7.5HIGH

Key Information:

Vendor: Frappe Technologies
Status: Frappe ERPNext
Vendor: CVE Published:; 16 September 2025

🔔 Create Frappe Technologies Vulnerability Alert

What is CVE-2025-52044?

A SQL Injection vulnerability exists in Frappe ERPNext version 15.57.5, specifically in the function get_stock_balance() found in erpnext/stock/utils.py. This flaw enables attackers to manipulate the input parameter 'inventory_dimensions_dict', allowing them to execute arbitrary SQL queries. If exploited, this vulnerability could grant unauthorized access to sensitive database information, posing significant risks to the integrity and confidentiality of the affected systems.

References

https://github.com/Vietsunshine-Electronic-Solution-JSC/V...

https://github.com/frappe/erpnext/pull/49192/commits/eb22...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Jun 16, 2025

JSON