CVE-2025-66434
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-23

Assigner: MITRE

Description
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66434
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe erpnext to 15.89.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to inject Jinja2 template payloads into the Dunning Letter Text's body_text field and observing the response. For example, an authenticated user with permission can inject a payload like {{ frappe.db.sql("SELECT @@version") }} into the body_text field of a Dunning Letter Text and then trigger the rendering by creating a new Dunning referencing the manipulated Dunning Type. Alternatively, detection can be done by sending a POST request to the API endpoint /api/method/erpnext.accounts.doctype.dunning.dunning.get_dunning_letter_text with a crafted payload and checking if the response contains the evaluated SQL query result. Commands to test this might include using curl or similar HTTP clients to POST to the endpoint with malicious template data and inspecting the response for database information leakage. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to users who can configure Dunning Types and Dunning Letter Texts to trusted administrators only, as the vulnerability requires authenticated users with these permissions. Avoid allowing untrusted users to edit or create Dunning Letter Texts. Additionally, monitor and audit changes to Dunning Types and their child tables for suspicious template injections. If possible, upgrade ERPNext to a version beyond 15.89.0 where this vulnerability is fixed or apply patches that remove dangerous globals from the Jinja2 sandbox environment or sanitize user inputs before rendering templates. [1]

Compliance Impact

This vulnerability allows authenticated attackers to execute arbitrary server-side code and perform SQL queries that can disclose sensitive database information. Such unauthorized access and data leakage can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and processing. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential unauthorized disclosure of protected data. [1]

Impact Analysis

This vulnerability allows an authenticated attacker with configuration permissions to execute arbitrary server-side code and SQL queries on the backend database via injected Jinja2 templates. This can lead to unauthorized disclosure of sensitive database information and potentially compromise the integrity and confidentiality of the system data. [1]

Executive Summary

CVE-2025-66434 is a Server-Side Template Injection (SSTI) vulnerability in ERPNext versions up to 15.89.0, specifically in the get_dunning_letter_text function. This function renders user-controlled Jinja2 templates using a user-supplied context. Although ERPNext uses a custom sandboxed environment, dangerous globals like frappe.db.sql remain accessible. An authenticated attacker with permission to configure Dunning Types and Dunning Letter Text can inject malicious Jinja2 expressions, leading to server-side code execution and potential leakage of sensitive database information. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart