Cyber Posture

CVE-2025-66434

HighPublic PoC

Published: 15 December 2025

Published
15 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such…

more

as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates and sanitizes attacker-controlled body_text inputs to prevent injection of malicious Jinja expressions leading to SSTI.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict configuration access to Dunning Type and Letter Text, blocking authenticated attackers without necessary permissions.

SI-2 Flaw Remediation good match
prevent

Remediates the SSTI flaw in frappe.render_template by patching unsafe globals in the SandboxedEnvironment.

Security SummaryAI

CVE-2025-66434 is a Server-Side Template Injection (SSTI) vulnerability in the get_dunning_letter_text method of Frappe ERPNext through version 15.89.0. The method renders attacker-controlled Jinja2 templates from the body_text field using frappe.render_template() with a user-supplied context (doc). Although Frappe employs a custom SandboxedEnvironment, dangerous globals such as frappe.db.sql remain accessible via get_safe_globals(), enabling execution of arbitrary Jinja expressions. The issue is associated with CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Incorrect Handling of Shared Resource Lifetime), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with permissions to configure Dunning Type and its child table Dunning Letter Text can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious Jinja expressions into the body_text, the attacker achieves server-side code execution within the restricted but unsafe sandbox context, potentially leaking sensitive database information through functions like frappe.db.sql.

Details on the vulnerability, including potential mitigation strategies, are documented in advisories at https://iamanc.github.io/post/erpnext-ssti-bug-1 and https://www.notion.so/SSTI-bug-1-239e6086eadc8096bfcfe90551a3a483?source=copy_link.

Details

CWE(s)
CWE-94CWE-1336

Affected Products

frappe
erpnext
≤ 15.89.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
attack.mitre.org →
Why these techniques?

SSTI vulnerability in public-facing web application (ERPNext) directly enables T1190 (Exploit Public-Facing Application) and T1221 (Template Injection) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References