CVE-2025-66434 – An authenticated attacker with Dunning Type con... (How to Fix)

📋 TL;DR

An authenticated attacker with Dunning Type configuration access can exploit this Server-Side Template Injection vulnerability in Frappe ERPNext to execute arbitrary Jinja2 expressions. This allows server-side code execution within a restricted but unsafe context, potentially leading to database information leakage. The vulnerability affects all Frappe ERPNext instances up to version 15.89.0.

💻 Affected Systems

Products:

Frappe ERPNext

Versions: through 15.89.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Dunning Type configuration privileges

📦 What is this software?

Erpnext by Frappe

View all CVEs affecting Erpnext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise, data exfiltration, and potential lateral movement within the ERP system

🟠

Likely Case

Unauthorized database queries leading to sensitive data exposure and potential privilege escalation

🟢

If Mitigated

Limited impact due to restricted user permissions and network segmentation

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to specific configuration areas

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.90.0 or later

Vendor Advisory: https://github.com/frappe/erpnext/security/advisories

Restart Required: Yes

Instructions:

1. Update Frappe ERPNext to version 15.90.0 or later
2. Restart the application server
3. Verify the patch is applied by checking the version

🔧 Temporary Workarounds

Restrict Dunning Type Configuration Access

all

Limit user permissions to only essential personnel for Dunning Type and Dunning Letter Text configuration

Implement WAF Rules

all

Deploy web application firewall rules to detect and block Jinja2 template injection attempts

🧯 If You Can't Patch

Implement strict access controls to limit Dunning Type configuration to trusted administrators only
Monitor application logs for suspicious template rendering activities and unusual database queries

🔍 How to Verify

Check if Vulnerable:

Check if Frappe ERPNext version is 15.89.0 or earlier and verify user has Dunning Type configuration access

Check Version:

bench version

Verify Fix Applied:

Confirm version is 15.90.0 or later and test that Jinja2 expressions in Dunning Letter Text are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual Jinja2 template rendering in get_dunning_letter_text method
Suspicious database queries from template rendering context
Multiple failed template rendering attempts

Network Indicators:

Unusual outbound database connections from ERPNext server
Large data transfers following template configuration changes

SIEM Query:

source="erpnext" AND ("get_dunning_letter_text" OR "frappe.render_template") AND (error OR exception OR "template injection")

📊 Metadata

CVE ID: CVE-2025-66434

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.1% exploit probability (27.1th percentile)

Published: December 15, 2025

Last Updated: December 23, 2025

🔗 References

https://iamanc.github.io/post/erpnext-ssti-bug-1 Exploit,Third Party Advisory
https://www.notion.so/SSTI-bug-1-239e6086eadc8096bfcfe90551a3a483?source=copy_link Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66434, you might also want to check these: