CVE-2025-66437
Published: 15 December 2025
Summary
CVE-2025-66437 is a high-severity Code Injection (CWE-94) vulnerability in Frappe Erpnext. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes user-supplied template expressions and address_dict parameters to prevent SSTI exploitation in frappe.render_template().
Configures the Jinja2 SandboxedEnvironment to the least functionality by prohibiting dangerous functions like frappe.db.sql in get_safe_globals(), blocking code execution even if injection occurs.
Remediates the flaw in get_address_display by patching the insecure rendering of Address Templates with attacker-controlled data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in web application enables exploitation of public-facing application (T1190) via template injection (T1221), leading to RCE and potential privilege escalation (T1068).
NVD Description
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string…
more
referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict="address_name", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.
Deeper analysisAI
CVE-2025-66437 is a Server-Side Template Injection (SSTI) vulnerability in the get_address_display method of Frappe ERPNext through version 15.89.0. This method renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext employs a custom Jinja2 SandboxedEnvironment, dangerous functions such as frappe.db.sql remain accessible via get_safe_globals().
An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. The attacker can then create an Address document with a matching country and invoke the get_address_display API endpoint using address_dict set to the address name string. This causes the system to render the malicious template with attacker-controlled data, resulting in server-side code execution or database information disclosure. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 and CWE-1336.
Advisories providing additional details on the vulnerability are available at https://iamanc.github.io/post/erpnext-ssti-bug-4 and https://www.notion.so/SSTI-bug-4-239e6086eadc80aa9331fba874c674a5?source=copy_link.
Details
- CWE(s)