CVE-2025-65924 Overview
ERPNext through version 15.88.1 contains an HTML injection vulnerability in the 'Add Quality Goal' function. The application fails to sanitize or remove certain HTML tags, specifically <a> hyperlinks, in fields intended for plain text input. While JavaScript is blocked to prevent traditional XSS attacks, the HTML markup is preserved when generating PDF documents. This allows attackers to inject malicious clickable links into ERP-generated PDFs, which are generally considered trustworthy by users, making them highly susceptible to phishing attacks or malware delivery.
Critical Impact
Attackers can inject malicious hyperlinks into trusted ERP-generated PDF documents, enabling phishing attacks and potential malware delivery through user trust exploitation.
Affected Products
- ERPNext versions through 15.88.1
- Frappe Framework (underlying framework)
- PDF generation functionality within Quality Goal module
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-65924 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-65924
Vulnerability Analysis
This vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The core issue lies in the application's incomplete input sanitization approach. While ERPNext implements controls to block JavaScript execution (preventing traditional XSS attacks), it fails to strip or neutralize HTML anchor (<a>) tags from user-controlled input fields.
When users create Quality Goals within the ERP system, the input fields accept HTML markup that persists through the PDF generation pipeline. The PDF renderer processes these HTML elements, resulting in fully functional clickable hyperlinks embedded within the generated documents. This creates a trust-based attack vector since PDF documents generated by enterprise systems are typically considered authoritative and safe by end users.
Root Cause
The root cause is inadequate input validation in the Quality Goal functionality. The application's sanitization logic specifically targets script execution but does not account for the security implications of allowing arbitrary HTML links in PDF output. The Frappe framework's PDF generation component preserves HTML formatting, including anchor tags with href attributes, without additional security filtering.
Attack Vector
The attack requires network access and low-privilege authentication to the ERPNext system. An attacker with basic user access can create or modify Quality Goal entries, injecting malicious <a> tags with attacker-controlled URLs into text fields. When these records are exported to PDF format, the malicious links become active elements within the document. Users who receive and open these PDFs may click the embedded links, believing them to be legitimate references, potentially leading to credential theft, malware downloads, or other social engineering attacks.
The attack leverages the inherent trust users place in internally-generated ERP documents. Since the links appear within an official business document, users are significantly more likely to interact with them compared to links received through external channels.
Detection Methods for CVE-2025-65924
Indicators of Compromise
- Presence of HTML anchor tags (<a href=) in Quality Goal database entries or text fields
- PDF documents generated from ERPNext containing unexpected external hyperlinks
- User reports of suspicious links within ERP-generated PDF documents
- Audit log entries showing unusual modification of Quality Goal records
Detection Strategies
- Implement content inspection rules to detect HTML tags in plain text database fields
- Review Quality Goal entries for embedded HTML markup using database queries
- Monitor PDF generation logs for documents containing external URLs
- Deploy email gateway rules to scan ERP-generated PDF attachments for suspicious links
Monitoring Recommendations
- Enable detailed audit logging for Quality Goal creation and modification events
- Implement regular automated scans of the Quality Goal database table for HTML content
- Configure alerts for PDF generation events containing external domain references
- Establish baseline analysis of normal link patterns in ERP-generated documents
How to Mitigate CVE-2025-65924
Immediate Actions Required
- Review all existing Quality Goal entries for embedded HTML content and sanitize as needed
- Implement input validation at the application layer to strip HTML tags from plain text fields
- Educate users about the potential for malicious links in ERP-generated documents
- Consider restricting Quality Goal creation privileges to trusted users only
Patch Information
No official vendor patch has been announced at the time of publication. Organizations should monitor the GitHub Frappe Docker Repository and official ERPNext release channels for security updates addressing this vulnerability. Given the low severity rating and requirement for authenticated access, organizations should prioritize this remediation based on their risk assessment.
Workarounds
- Implement a custom server-side hook to sanitize HTML from Quality Goal fields before saving
- Deploy a PDF post-processing solution to strip or neutralize hyperlinks from generated documents
- Configure Content Security Policy headers where applicable to limit external resource loading
- Use database triggers or application middleware to detect and block HTML injection attempts
# Example: Query to identify potentially injected HTML in Quality Goal entries
# Run against your ERPNext/MariaDB database
mysql -u [username] -p erpnext -e "SELECT name, goal FROM \`tabQuality Goal\` WHERE goal LIKE '%<a %' OR goal LIKE '%href=%';"
# Example: Frappe bench command to run custom sanitization script
bench --site [site-name] execute custom_app.sanitize_quality_goals
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
