CVE-2025-52042 is a SQL Injection vulnerability identified in the Frappe ERPNext platform, specifically in version 15.57.5. The vulnerability exists in the function get_rfq_containing_supplier() located in the file erpnext/buying/doctype/request_for_quotation/request_for_quotation.py. This function improperly sanitizes or fails to validate the 'txt' parameter, which is used in constructing SQL queries. An attacker can exploit this flaw by injecting malicious SQL code via the 'txt' parameter, enabling unauthorized extraction of sensitive data from the underlying database. The vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to full disclosure of confidential information stored within the ERP system, including business data, supplier information, and possibly user credentials. Since ERPNext is a widely used open-source ERP system, this vulnerability poses a significant risk to organizations relying on it for their procurement and supply chain management processes. The absence of a CVSS score and known exploits in the wild suggests that this vulnerability is newly disclosed and may not yet be actively exploited, but the potential impact remains high due to the nature of SQL Injection attacks. The vulnerability does not specify affected versions beyond 15.57.5, but it is prudent to assume that similar versions might be impacted until patches or updates are released. The vulnerability was reserved in June 2025 and published in October 2025, indicating recent discovery and disclosure.

For European organizations using Frappe ERPNext, this vulnerability could lead to severe consequences. ERP systems typically contain critical business data, including financial records, supplier contracts, pricing information, and internal communications. Exploitation of this SQL Injection vulnerability could result in unauthorized data disclosure, leading to intellectual property theft, financial fraud, or competitive disadvantage. Additionally, attackers could manipulate or delete data, impacting data integrity and disrupting business operations. Given the interconnected nature of ERP systems with other enterprise applications, a successful attack could also facilitate lateral movement within the network, increasing the risk of broader compromise. The impact is particularly significant for sectors with stringent data protection regulations such as GDPR in the EU, where data breaches can result in heavy fines and reputational damage. Furthermore, supply chain disruptions caused by compromised procurement data could affect manufacturing, retail, and logistics companies, which are critical to the European economy.

Organizations should immediately review their use of Frappe ERPNext and identify if version 15.57.5 or similar versions are deployed. In the absence of an official patch (none listed), the following specific mitigations are recommended: 1) Implement input validation and sanitization on the 'txt' parameter within the get_rfq_containing_supplier() function or at the application layer to prevent malicious SQL code injection. 2) Employ Web Application Firewalls (WAFs) configured to detect and block SQL Injection patterns targeting ERPNext endpoints. 3) Restrict database user privileges to the minimum necessary, limiting the potential damage of SQL Injection exploitation. 4) Monitor database and application logs for unusual query patterns or access attempts that may indicate exploitation attempts. 5) Consider isolating the ERP system within a segmented network zone with strict access controls to reduce exposure. 6) Stay updated with Frappe ERPNext vendor advisories for official patches or updates addressing this vulnerability and apply them promptly once available. 7) Conduct security code reviews and penetration testing focused on input handling in ERPNext customizations or integrations to identify similar vulnerabilities.