CVE-2025-66434 - Frappe ERPNext SSTI Vulnerability

Threat Intelligence

Low Risk

EPSS Score: 0.08% chance of exploitation (percentile: 24%)

🔍 Detection Tools: None available in major open-source tools

⚔️ Exploit Availability: No public exploits found

What is it?

Frappe ERPNext is an open-source enterprise resource planning software used by various organizations. The vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0, which renders attacker-controlled Jinja2 templates using frappe.render_template() with a user-supplied context (doc). This allows an authenticated attacker to inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context.

Am I affected?

You're affected if you use Frappe ERPNext version 15.89.0 or earlier. Check with: git log frappe/ERPNext --version (Git command) or pip show frappe (Python package manager command). Note that this is a specific enterprise resource planning software, so if you don't recognize the name, you're probably not affected.

Affected Packages

pypi: frappe/erpnext

Affected Products

Frappe Software Solutions / ERPNext

How to fix

Concrete steps:

Upgrade to Frappe ERPNext version 15.90.0 or later from the official GitHub repository: https://github.com/frappe/erpnext
Immediate mitigations:
- Restrict network access to your ERPNext instance (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation

Frappe ERPNext SSTI Vulnerability