CVE-2025-52041 is a SQL Injection vulnerability identified in Frappe ERPNext version 15.57.5, specifically within the function get_stock_balance_for() located in the file erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py. The vulnerability arises because the inventory_dimensions_dict parameter is not properly sanitized or validated before being incorporated into SQL queries. This flaw allows an attacker to inject arbitrary SQL code, which can be executed by the database engine. As a result, an attacker can extract sensitive information from the underlying database, potentially including confidential business data, user credentials, financial records, and inventory details. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the nature of SQL Injection vulnerabilities makes them highly attractive targets for attackers due to the ease of exploitation and the potential for significant data breaches. The absence of a CVSS score indicates that the vulnerability is newly published and has not yet been fully assessed for severity by standard scoring systems. The vulnerability affects ERPNext, an open-source enterprise resource planning (ERP) system widely used by organizations for managing business processes including inventory, accounting, and human resources. Given the critical role of ERP systems in business operations, exploitation of this vulnerability could lead to severe confidentiality breaches and operational disruptions.

For European organizations, the impact of this vulnerability could be substantial. ERPNext is used by a variety of small to medium enterprises and some larger organizations across Europe for managing critical business functions. A successful SQL Injection attack could lead to unauthorized disclosure of sensitive corporate data, including financial records, supplier and customer information, and inventory details. This could result in financial losses, reputational damage, and regulatory penalties under GDPR due to data breaches involving personal data. Additionally, attackers could manipulate inventory data, potentially disrupting supply chain operations and causing operational downtime. The ability to extract comprehensive database information also raises the risk of further attacks, such as privilege escalation or lateral movement within the network. Given the interconnected nature of ERP systems with other business applications, the compromise could cascade, affecting multiple business units. The lack of authentication requirements for exploitation increases the threat level, as attackers could target exposed ERPNext instances directly over the network. European organizations with online-facing ERPNext deployments or insufficient network segmentation are particularly at risk.

To mitigate this vulnerability, European organizations using ERPNext 15.57.5 should immediately apply any available patches or updates from the ERPNext development team once released. In the absence of an official patch, organizations should implement input validation and sanitization controls on the inventory_dimensions_dict parameter to prevent SQL Injection. Employing web application firewalls (WAFs) with rules designed to detect and block SQL Injection attempts can provide an additional layer of defense. Organizations should audit their ERPNext instances to identify and restrict access to the vulnerable function, ensuring that only trusted users and systems can interact with it. Network segmentation should be enforced to limit exposure of ERPNext servers to the internet or untrusted networks. Regular database activity monitoring and anomaly detection can help identify suspicious queries indicative of exploitation attempts. Backup and recovery procedures should be reviewed and tested to ensure rapid restoration in case of data compromise. Finally, organizations should conduct security awareness training for administrators and developers to recognize and remediate injection vulnerabilities in custom ERPNext modules or configurations.