CVE-2025-66435
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | to 15.89.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Template Injection (SSTI) in the get_contract_template method of Frappe ERPNext up to version 15.89.0. It occurs because the function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although a custom SandboxedEnvironment is used, dangerous globals like frappe.db.sql remain accessible, allowing an authenticated attacker who can create or modify a Contract Template to inject arbitrary Jinja expressions. This leads to server-side code execution within a restricted but unsafe context.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary server-side code within the application context. This can lead to leaking sensitive database information and potentially other unauthorized actions on the server, compromising the confidentiality and integrity of the system.