CVE-2025-52039 is a SQL Injection vulnerability identified in the Frappe ERPNext platform, specifically affecting version 15.57.5. The vulnerability exists in the function get_material_requests_based_on_supplier() located in the file erpnext/stock/doctype/material_request/material_request.py. This function improperly handles the 'txt' parameter, allowing an attacker to inject arbitrary SQL queries. Exploiting this flaw enables an attacker to extract sensitive information from the backend database, potentially exposing all stored data. The vulnerability arises due to insufficient input validation or sanitization of the 'txt' parameter before it is incorporated into SQL queries. Since ERPNext is an open-source ERP system widely used for enterprise resource planning, this vulnerability can lead to significant data breaches, including exposure of financial records, supplier information, inventory data, and other critical business information. Although no known exploits are currently reported in the wild, the nature of SQL Injection vulnerabilities makes them highly exploitable, especially if the affected instance is accessible over a network. The absence of a CVSS score indicates that the vulnerability is newly published and may not yet have undergone formal severity assessment. However, the ability to extract all database information without authentication or complex user interaction suggests a severe risk. No patch links are currently available, indicating that organizations using this version of ERPNext must be vigilant and consider temporary mitigations until an official fix is released.

For European organizations using Frappe ERPNext 15.57.5, this vulnerability poses a critical risk to data confidentiality and integrity. ERP systems typically contain sensitive business data, including financial transactions, supplier contracts, employee information, and inventory details. Unauthorized extraction of such data can lead to financial losses, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential operational disruptions. The breach of supplier and inventory data could also impact supply chain security and business continuity. Given the interconnected nature of ERP systems with other business applications, exploitation could facilitate further lateral movement within corporate networks. European organizations are subject to stringent data protection laws, and exposure of personal or sensitive data could result in significant legal and financial penalties. The lack of authentication or user interaction requirements for exploitation increases the threat level, especially for ERPNext instances exposed to the internet or accessible by multiple users.

1. Immediate action should include restricting access to the ERPNext instance, ensuring it is not publicly accessible without proper network controls such as VPNs or IP whitelisting. 2. Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns targeting the 'txt' parameter in the affected function. 3. Conduct a thorough audit of all ERPNext instances to identify affected versions and isolate them until patched. 4. Monitor database and application logs for unusual query patterns or access attempts that may indicate exploitation attempts. 5. Engage with the ERPNext community or vendor to obtain patches or updates addressing this vulnerability as soon as they become available. 6. As a temporary workaround, consider disabling or restricting the functionality related to material requests based on suppliers if feasible. 7. Educate internal teams about the risks of SQL Injection and enforce secure coding practices for any customizations or extensions to ERPNext. 8. Regularly back up ERP data securely to enable recovery in case of data compromise.