Server-Side Template Injection Vulnerability in Frappe ERPNext
CVE-2025-66437

8.8HIGH

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-66437?

A Server-Side Template Injection (SSTI) vulnerability exists in the get_address_display method of Frappe ERPNext versions before 15.89.0. This vulnerability allows authenticated attackers with permissions to modify an Address Template to inject malicious Jinja expressions into the template. Due to the configuration of the method, where the address_dict parameter can be tied to an Address document, attackers can leverage this to execute harmful scripts. The use of frappe.render_template() in conjunction with accessible functions via get_safe_globals() poses significant security risks, including unauthorized server-side code execution and potential exposure of sensitive database information.

References

https://www.notion.so/SSTI-bug-4-239e6086eadc80aa9331fba8...

https://iamanc.github.io/post/erpnext-ssti-bug-4

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 30, 2025

JSON