CVE-2025-66437
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-16

Assigner: MITRE

Description
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict="address_name", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66437
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe erpnext 15.89.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability for users to create or modify Address Templates until a patch is applied, reviewing and sanitizing any existing Address Templates for malicious Jinja expressions, and applying updates to Frappe ERPNext beyond version 15.89.0 where this vulnerability is fixed. Additionally, monitoring and limiting permissions related to Address Template management can reduce risk.

Executive Summary

This vulnerability is a Server-Side Template Injection (SSTI) in the get_address_display method of Frappe ERPNext up to version 15.89.0. It occurs because the method renders address templates using a function that processes attacker-controlled data in the template field. Although a sandbox environment is used, dangerous functions remain accessible, allowing an authenticated attacker with permission to create or modify Address Templates to inject malicious Jinja expressions. This can lead to server-side code execution or disclosure of database information.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the server or access sensitive database information. This can lead to unauthorized control over the server, data breaches, and potential disruption of services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart