CVE-2025-66438

Name of the Vulnerable Software and Affected Versions Frappe ERPNext versions through 15.89.0

Description A Server-Side Template Injection (SSTI) issue exists in the Print Format rendering mechanism. The frappe.www.printview.get html and style() API triggers the rendering of the html field inside a Print Format document using frappe.render template(template, doc) via the get rendered template() call chain. While ERPNext uses a SandboxedEnvironment for Jinja2, it exposes sensitive functions like frappe.db.sql through get safe globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. After saving the malicious Print Format, the attacker can call get html and style() with a target document to trigger rendering, potentially leading to information disclosure from the database, including database version and schema details, depending on the injected payload. The exploitation flow involves creating a Print Format with an SSTI payload in the html field, calling the get html and style() API, which then triggers frappe.render template(template, doc) inside get rendered template(), and ultimately leaks database information via frappe.db.sql or other exposed globals.

Recommendations Versions prior to 15.89.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.