CVE-2025-66437

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description A Server-Side Template Injection (SSTI) issue exists in the get address display method. This function uses frappe.render template() with a context from the address dict parameter, which can be a dictionary or a string referencing an Address document. While ERPNext employs a custom Jinja2 SandboxedEnvironment, functions like frappe.db.sql remain accessible through get safe globals(). An authenticated attacker with the ability to create or modify Address Templates can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country and then calling the get address display API with address dict="address name", the system renders the malicious template using attacker-controlled data. This can result in server-side code execution or database information disclosure. The API endpoint involved is get address display. The vulnerable parameter is address dict.

Recommendations Versions prior to 15.89.0 should be updated. As a temporary workaround, restrict access to the Address Template creation and modification functionality to minimize the risk of exploitation.