CVE-2025-66434
Published: 15 December 2025
Summary
CVE-2025-66434 is a high-severity Code Injection (CWE-94) vulnerability in Frappe Erpnext. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes attacker-controlled body_text inputs to prevent injection of malicious Jinja expressions leading to SSTI.
Enforces least privilege to restrict configuration access to Dunning Type and Letter Text, blocking authenticated attackers without necessary permissions.
Remediates the SSTI flaw in frappe.render_template by patching unsafe globals in the SandboxedEnvironment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI vulnerability in public-facing web application (ERPNext) directly enables T1190 (Exploit Public-Facing Application) and T1221 (Template Injection) for remote code execution.
NVD Description
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such…
more
as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information.
Deeper analysisAI
CVE-2025-66434 is a Server-Side Template Injection (SSTI) vulnerability in the get_dunning_letter_text method of Frappe ERPNext through version 15.89.0. The method renders attacker-controlled Jinja2 templates from the body_text field using frappe.render_template() with a user-supplied context (doc). Although Frappe employs a custom SandboxedEnvironment, dangerous globals such as frappe.db.sql remain accessible via get_safe_globals(), enabling execution of arbitrary Jinja expressions. The issue is associated with CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Incorrect Handling of Shared Resource Lifetime), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with permissions to configure Dunning Type and its child table Dunning Letter Text can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious Jinja expressions into the body_text, the attacker achieves server-side code execution within the restricted but unsafe sandbox context, potentially leaking sensitive database information through functions like frappe.db.sql.
Details on the vulnerability, including potential mitigation strategies, are documented in advisories at https://iamanc.github.io/post/erpnext-ssti-bug-1 and https://www.notion.so/SSTI-bug-1-239e6086eadc8096bfcfe90551a3a483?source=copy_link.
Details
- CWE(s)