CVE-2025-52050 is a medium-severity SQL Injection vulnerability identified in Frappe ERPNext version 15.57.5, specifically within the function get_loyalty_program_details_with_points() located in the file erpnext/accounts/doctype/loyalty_program/loyalty_program.py. The vulnerability arises because the expiry_date parameter is not properly sanitized or validated before being incorporated into an SQL query. This flaw allows an unauthenticated attacker to inject arbitrary SQL code via the expiry_date parameter, potentially enabling them to extract sensitive information from the underlying database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which is a common and critical class of injection flaws. According to the CVSS v3.1 scoring, the vulnerability has a base score of 6.5, indicating medium severity. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N indicates that the attack can be performed remotely over the network without any privileges or user interaction, affecting confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow attackers to extract confidential data from ERPNext databases, which often contain sensitive business and financial information, loyalty program details, and customer data. Given ERPNext's role as an open-source ERP system widely used by small to medium enterprises, this vulnerability poses a significant risk if left unmitigated.

For European organizations using ERPNext, this vulnerability could lead to unauthorized disclosure of sensitive business data, including customer loyalty program details and potentially broader financial or operational information stored within the ERP system. The confidentiality breach could result in loss of customer trust, regulatory non-compliance (e.g., GDPR violations due to exposure of personal data), and financial damage. Since ERPNext is often used by SMEs across Europe, the impact could be widespread, especially for companies that rely heavily on loyalty programs and customer relationship management. The integrity impact, while rated low, could still allow attackers to manipulate data queries, potentially leading to inaccurate reporting or business decisions. The lack of required authentication and user interaction makes exploitation easier, increasing the risk of automated attacks. Although availability is not impacted, the breach of confidentiality and integrity alone can have serious operational and reputational consequences for European businesses.

To mitigate this vulnerability, European organizations should immediately review and restrict access to ERPNext instances, especially those exposed to the internet. Network-level protections such as Web Application Firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting the expiry_date parameter. Organizations should audit their ERPNext installations and apply any available patches or updates from the vendor as soon as they are released. In the absence of official patches, temporary mitigations include implementing input validation and sanitization on the expiry_date parameter, using parameterized queries or prepared statements in the codebase, and restricting database user permissions to minimize data exposure. Regular security assessments and penetration testing focused on injection vulnerabilities should be conducted. Additionally, monitoring database query logs for unusual or suspicious activity related to loyalty program queries can help detect exploitation attempts early. Finally, organizations should ensure compliance with data protection regulations by preparing incident response plans in case of data breaches.