CVE-2025-52050 in ERPNext
Summary
by MITRE • 09/30/2025
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/01/2025
The vulnerability identified as CVE-2025-52050 resides within the Frappe ERPNext platform version 15.57.5, specifically within the loyalty program functionality. This security flaw manifests in the get_loyalty_program_details_with_points() function located in the file erpnext/accounts/doctype/loyalty_program/loyalty_program.py. The vulnerability represents a critical SQL injection weakness that fundamentally compromises database security and data integrity.
The technical implementation of this vulnerability stems from improper input validation and sanitization within the expiry_date parameter handling. When an attacker supplies malicious input through this parameter, the application fails to properly escape or parameterize the input before incorporating it into SQL query construction. This allows arbitrary SQL commands to be executed within the database context, enabling full data extraction capabilities. The vulnerability operates under CWE-89 which specifically addresses SQL injection flaws where untrusted data is incorporated into database queries without proper sanitization measures.
The operational impact of this vulnerability extends beyond simple data theft to encompass complete database compromise and potential system escalation. An attacker could leverage this weakness to extract all customer loyalty program data, including sensitive customer information, transaction histories, and potentially administrative credentials stored within the same database. The attack vector requires minimal privileges since the vulnerability exists within a function that likely operates with elevated database permissions to maintain loyalty program integrity. This aligns with ATT&CK technique T1071.004 for application layer protocol usage and T1566 for phishing attacks that could lead to initial access.
Database administrators and security teams should immediately implement mitigations including input validation, parameterized queries, and comprehensive code review procedures. The recommended approach involves ensuring all user inputs are properly sanitized and that the application employs prepared statements or parameterized queries for all database interactions. Additionally, implementing web application firewalls and database activity monitoring can provide additional layers of protection. Organizations using ERPNext should also consider applying immediate patches or workarounds while conducting thorough security assessments of their loyalty program implementations. The vulnerability demonstrates the critical importance of secure coding practices in enterprise applications and the potential for seemingly minor functionality flaws to create catastrophic security implications.