Frappe ERPNext SSTI Bug

MEDIUM (4.3) No Patch (2 days)
cwe-1336enterprise-softwareerpnextfrappejinja2sstivulnerability

Threat Intelligence

Low Risk
EPSS Score: 0.04% chance of exploitation (percentile: 11%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Frappe ERPNext is an open-source enterprise resource planning software used by various organizations. This vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0, allowing an authenticated attacker to inject arbitrary Jinja expressions into contract_terms fields, resulting in server-side code execution within a restricted but still unsafe context.

Am I affected?

You're affected if you use Frappe ERPNext version 15.89.0 or earlier. Check with: git log frappe/ERPNext --format=%H to verify your commit hash is before the fix.

Note: This CVE does not affect Frappe ERPNext versions 16.0.0 and later, as they have patched this vulnerability.

Affected Products

Frappe Software Solutions / ERPNext

How to fix

  1. Upgrade to Frappe ERPNext version 16.0.0 or later from the official GitHub repository (https://github.com/frappe/erpnext).
  2. Immediate mitigations:
  3. Restrict network access to your Frappe ERPNext instance (firewall it from the public internet)
  4. Audit admin account activity for suspicious access patterns
  5. Monitor for unauthorized template creation

References