CVE-2025-65923 Overview
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext through version 15.88.1 when using the "Update Existing Records" option. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account.
Critical Impact
This stored XSS vulnerability allows attackers to persist malicious scripts in the ERPNext database via crafted CSV imports, enabling session hijacking and unauthorized actions whenever victims view compromised records.
Affected Products
- ERPNext versions through 15.88.1
- ERPNext installations using the CSV import functionality with "Update Existing Records" option
- Frappe Framework-based deployments utilizing ERPNext
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-65923 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-65923
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The stored XSS variant is particularly dangerous because the malicious payload persists in the application's database and executes each time a user views the affected record, potentially impacting multiple victims over time.
The vulnerability specifically affects the CSV import mechanism in ERPNext when the "Update Existing Records" option is enabled. This feature allows users to bulk update database records by uploading CSV files. However, the application fails to properly sanitize input fields within the CSV data before storing them in the database and subsequently rendering them in the web interface.
When a user with appropriate privileges views a record containing the injected payload, the malicious JavaScript executes within their browser session. This can lead to session token theft, account takeover, privilege escalation within the application, or phishing attacks disguised as legitimate ERPNext interface elements.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and output encoding within the ERPNext CSV import processing pipeline. When CSV data is imported using the "Update Existing Records" functionality, field values containing HTML or JavaScript code are not properly sanitized before being stored in the database. Additionally, when these values are rendered in the web interface, they are not properly encoded, allowing embedded scripts to execute in the context of the viewing user's session.
Attack Vector
The attack vector is network-based and requires an authenticated attacker with privileges to import CSV data into ERPNext. The attacker crafts a malicious CSV file containing JavaScript payloads embedded within field values. Upon import using the "Update Existing Records" option, these payloads are stored in the database. When any user subsequently views the affected record through the ERPNext web interface, the malicious script executes in their browser.
A typical attack scenario involves embedding JavaScript payloads such as <script> tags or event handlers within CSV fields like description, notes, or custom text fields. The payload could steal session cookies, redirect users to phishing pages, modify displayed data, or perform actions on behalf of the victim user. For detailed technical information about the ERPNext and Frappe framework architecture, refer to the GitHub Frappe Docker Repository.
Detection Methods for CVE-2025-65923
Indicators of Compromise
- Unusual JavaScript patterns or <script> tags present in database text fields that were populated via CSV import
- Unexpected outbound network requests from user browsers when viewing ERPNext records
- Session tokens or credentials appearing in unexpected locations such as external server logs
- User reports of unexpected browser behavior or redirects when accessing ERPNext pages
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution, monitoring CSP violation reports
- Review database records imported via CSV for suspicious HTML or JavaScript content patterns
- Monitor web application firewall logs for XSS payload signatures in CSV upload requests
- Audit user activity logs for bulk import operations followed by anomalous account behavior
Monitoring Recommendations
- Enable detailed logging for all CSV import operations including user, timestamp, and affected records
- Configure browser-side monitoring for unexpected DOM modifications or script injections on ERPNext pages
- Set up alerts for CSP violations that may indicate XSS exploitation attempts
- Implement session anomaly detection to identify potential session hijacking following XSS attacks
How to Mitigate CVE-2025-65923
Immediate Actions Required
- Restrict CSV import privileges to trusted administrative users only until a patch is applied
- Review recently imported CSV data for potentially malicious JavaScript or HTML content
- Implement strict Content Security Policy headers to mitigate the impact of stored XSS payloads
- Educate users to report any unexpected behavior when viewing records in ERPNext
Patch Information
At the time of publication, no official vendor patch has been confirmed for this vulnerability. Organizations should monitor the ERPNext project and Frappe Framework for security updates addressing this stored XSS issue. The GitHub Frappe Docker Repository may contain updated deployment configurations as patches become available.
Workarounds
- Implement input validation at the application level to sanitize CSV imports before database storage
- Deploy a Web Application Firewall (WAF) with rules to detect and block XSS payloads in file uploads
- Apply strict Content Security Policy headers with script-src 'self' to prevent inline script execution
- Consider temporarily disabling the "Update Existing Records" CSV import option until the vulnerability is patched
# Example Content Security Policy configuration for nginx
# Add to your ERPNext nginx server configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
