Frappe ERPNext SSTI Vulnerability

MEDIUM (4.3) No Patch (2 days)
cwe-1336aenricherp-softwarejinja2-template-injectionserver-side-code-executionssti

Threat Intelligence

Low Risk
EPSS Score: 0.04% chance of exploitation (percentile: 11%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Frappe ERPNext is a popular open-source enterprise resource planning (ERP) software used by many organizations. This vulnerability allows an attacker to inject arbitrary code into the system's Jinja2 templates, potentially leading to server-side code execution and database information leaks.

Am I affected?

You're affected if you use Frappe ERPNext version 15.89.0 or earlier. Check with: frappe db dump (to verify the database schema) or grep "Frappe" frappe.py (to check for hardcoded values).

Note: This vulnerability is specific to Frappe ERPNext and not related to similar products like Zoho Inventory or Odoo.

Affected Products

Frappe Technologies / Frappe ERPNext

How to fix

  1. Upgrade to Frappe ERPNext version 16.0.0 or later: https://frappe.io/docs/erpnext/upgrade
  2. Immediate mitigations:
  3. Restrict network access to your Frappe ERPNext instance (firewall it from the public internet)
  4. Audit admin account activity for suspicious access patterns
  5. Monitor for unauthorized token creation

References