CVE-2025-66434
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | to 15.89.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with configuration permissions to execute arbitrary server-side code and SQL queries on the backend database via injected Jinja2 templates. This can lead to unauthorized disclosure of sensitive database information and potentially compromise the integrity and confidentiality of the system data. [1]
Can you explain this vulnerability to me?
CVE-2025-66434 is a Server-Side Template Injection (SSTI) vulnerability in ERPNext versions up to 15.89.0, specifically in the get_dunning_letter_text function. This function renders user-controlled Jinja2 templates using a user-supplied context. Although ERPNext uses a custom sandboxed environment, dangerous globals like frappe.db.sql remain accessible. An authenticated attacker with permission to configure Dunning Types and Dunning Letter Text can inject malicious Jinja2 expressions, leading to server-side code execution and potential leakage of sensitive database information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject Jinja2 template payloads into the Dunning Letter Text's body_text field and observing the response. For example, an authenticated user with permission can inject a payload like {{ frappe.db.sql("SELECT @@version") }} into the body_text field of a Dunning Letter Text and then trigger the rendering by creating a new Dunning referencing the manipulated Dunning Type. Alternatively, detection can be done by sending a POST request to the API endpoint /api/method/erpnext.accounts.doctype.dunning.dunning.get_dunning_letter_text with a crafted payload and checking if the response contains the evaluated SQL query result. Commands to test this might include using curl or similar HTTP clients to POST to the endpoint with malicious template data and inspecting the response for database information leakage. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to users who can configure Dunning Types and Dunning Letter Texts to trusted administrators only, as the vulnerability requires authenticated users with these permissions. Avoid allowing untrusted users to edit or create Dunning Letter Texts. Additionally, monitor and audit changes to Dunning Types and their child tables for suspicious template injections. If possible, upgrade ERPNext to a version beyond 15.89.0 where this vulnerability is fixed or apply patches that remove dangerous globals from the Jinja2 sandbox environment or sanitize user inputs before rendering templates. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to execute arbitrary server-side code and perform SQL queries that can disclose sensitive database information. Such unauthorized access and data leakage can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and processing. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential unauthorized disclosure of protected data. [1]