Server-Side Template Injection in Frappe ERPNext
CVE-2025-66435

4.3MEDIUM

Key Information:

Vendor: Frappe Technologies
Status: ERPNext
Vendor: CVE Published:; 15 December 2025

🔔 Create Frappe Technologies Vulnerability Alert

What is CVE-2025-66435?

An SSTI vulnerability in Frappe ERPNext allows authenticated users to inject malicious Jinja expressions into contract templates, leading to possible execution of arbitrary code within the server environment. This occurs through the get_contract_template method, which improperly exposes dangerous globals, including database manipulation functions, even within a supposedly sandboxed context. Attackers with permission to modify contract templates can exploit this vulnerability to execute code, potentially leaking sensitive database information.

References

https://www.notion.so/SSTI-bug-2-239e6086eadc80878e8fcc7b...

https://iamanc.github.io/post/erpnext-ssti-bug-2

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 30, 2025

CVE-2025-66435 Data

JSON