CVE-2023-54345
Sandbox Escape in Frappe Framework ERPNext
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | erpnext | 13.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2023-54345 allows authenticated users with the System Manager role to execute arbitrary code on the server, potentially leading to unauthorized access and manipulation of sensitive data.
Such unauthorized access and data manipulation can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Exploitation of this vulnerability could lead to data breaches, unauthorized disclosure, or alteration of protected health information or personal data, thereby impacting compliance with these standards.
Organizations using affected versions of Frappe Framework ERPNext should apply patches promptly to mitigate risks and maintain compliance.
Can you explain this vulnerability to me?
CVE-2023-54345 is a sandbox escape vulnerability in the Frappe Framework ERPNext version 13.4.0. It affects the Server Script functionality, where authenticated users with the System Manager role can execute arbitrary Python code on the server. This is possible because the restricted execution environment, implemented using RestrictedPython, can be bypassed by exploiting frame introspection via the gi_frame attribute. Attackers can create malicious server scripts through the /app/server-script endpoint and traverse the call stack to invoke system commands using os.popen.
The vulnerability arises due to insufficient restrictions in the Server Scripts, allowing code injection attacks despite the intended sandboxing.
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including unauthorized access to the server, execution of arbitrary system commands, data manipulation, and potential full system compromise. Since attackers with System Manager privileges can run arbitrary code, they can bypass security controls, access sensitive data, and disrupt normal operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the creation or execution of server scripts via the /app/server-script endpoint by authenticated users with the System Manager role. Since the exploit involves using the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands, suspicious server scripts or unusual command executions originating from the Frappe Framework environment should be investigated.
Specific commands to detect exploitation attempts are not provided in the available resources. However, general detection could involve auditing server script creation logs, monitoring HTTP requests to /app/server-script, and checking for unexpected processes or commands executed by the Frappe application user.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Frappe Framework ERPNext installation to the latest patched version that addresses this vulnerability.
Additionally, restrict access to the /app/server-script endpoint to only trusted users and review permissions to ensure only necessary users have the System Manager role.
Disabling or limiting the use of server scripts until a patch is applied can also reduce the risk of exploitation.