CVE-2024-24813 Overview
CVE-2024-24813 is a SQL injection vulnerability [CWE-89] in the Frappe full-stack web application framework. A particular whitelisted method fails to properly sanitize user-supplied input before incorporating it into SQL queries. Authenticated and unauthenticated attackers can exploit this flaw over the network to access data outside their assigned permission scope. The vulnerability affects Frappe versions prior to 14.64.0 and 15.0.0. Frappe addressed the issue in versions 14.64.0 and 15.0.0. No workarounds exist, making patching the only remediation path. The framework powers ERPNext and other business applications, expanding the potential impact across enterprise deployments that rely on Frappe for record storage and access control.
Critical Impact
Network-accessible SQL injection allowing unauthorized data access across permission boundaries in Frappe-based applications including ERPNext.
Affected Products
- Frappe Framework versions prior to 14.64.0
- Frappe Framework versions prior to 15.0.0
- Downstream applications built on vulnerable Frappe versions (including ERPNext deployments)
Discovery Timeline
- 2024-03-21 - CVE-2024-24813 published to the National Vulnerability Database
- 2025-07-31 - Last updated in NVD database
Technical Details for CVE-2024-24813
Vulnerability Analysis
The vulnerability resides in a whitelisted method exposed by the Frappe framework. Whitelisted methods are server-side functions explicitly registered to accept calls from the client via Frappe's RPC interface. These methods process parameters supplied in HTTP requests and frequently interact with the database layer.
The affected method constructs SQL statements using attacker-controlled input without sufficient parameterization. An attacker submits crafted parameters that break out of the intended query context and append additional SQL clauses. The injected SQL executes with the privileges of the database connection used by Frappe, bypassing application-level permission checks that normally restrict record visibility.
The vulnerability impacts confidentiality but does not affect integrity or availability based on the CVSS vector. Successful exploitation discloses records the requesting user is not authorized to view, including data from other tenants, customers, or business documents stored in the Frappe database.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The whitelisted method concatenates or interpolates user-supplied values into SQL query strings rather than using parameterized queries or the framework's safe query builder APIs. This pattern allows SQL metacharacters to alter query semantics.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker sends an HTTP request to the Frappe RPC endpoint invoking the affected whitelisted method with malicious payload values. Because the method is whitelisted for client invocation, the request reaches the vulnerable code path. The injected SQL then executes against the backend database (typically MariaDB or PostgreSQL), returning data outside the caller's permission scope.
No verified public proof-of-concept code is available. Refer to the Frappe GitHub Security Advisory GHSA-fxfv-7gwx-54jh for additional technical context.
Detection Methods for CVE-2024-24813
Indicators of Compromise
- HTTP requests to /api/method/ endpoints containing SQL metacharacters such as ', --, UNION, or SELECT in parameter values
- Database query logs showing unusual UNION SELECT statements or queries referencing tables outside the requesting user's normal access pattern
- Application logs showing high-volume calls to specific whitelisted methods from a single source IP
- Unexpected data exfiltration patterns in outbound network traffic following Frappe RPC calls
Detection Strategies
- Enable verbose query logging on the database backend and alert on queries containing concatenated user input patterns
- Deploy a web application firewall with SQL injection signatures in front of the Frappe application
- Monitor Frappe access logs for repeated 200-status responses to /api/method/ calls with anomalous parameter lengths or encoded payloads
- Audit installed Frappe and ERPNext versions across the environment to identify vulnerable instances
Monitoring Recommendations
- Track authenticated and unauthenticated calls to RPC endpoints and baseline normal usage per user account
- Forward Frappe application logs and database audit logs to a centralized SIEM for correlation
- Alert on access patterns where a single session retrieves records spanning multiple permission boundaries
How to Mitigate CVE-2024-24813
Immediate Actions Required
- Upgrade Frappe to version 14.64.0 or 15.0.0 or later without delay
- Inventory all Frappe and ERPNext deployments, including self-hosted, cloud, and developer instances
- Restrict network exposure of Frappe RPC endpoints to trusted networks where business requirements allow
- Review database and application logs for evidence of exploitation prior to patching
Patch Information
Frappe released fixed versions 14.64.0 and 15.0.0 that remediate the SQL injection in the affected whitelisted method. Apply the patch through the standard bench update workflow or by upgrading container images to a fixed tag. Consult the Frappe GitHub Security Advisory for complete version guidance.
Workarounds
- No vendor-supplied workarounds are available; upgrading is the only supported remediation
- As a compensating control, place the Frappe application behind a WAF with SQL injection rules until patches are applied
- Rotate database credentials and review audit logs after upgrading to detect any pre-patch exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
