CVE-2025-66435 – An authenticated attacker with Contract Templat... (How to Fix)

📋 TL;DR

An authenticated attacker with Contract Template creation/modification privileges can inject malicious Jinja2 templates into the contract_terms field, leading to server-side code execution within Frappe ERPNext's sandboxed environment. This allows database information leakage and potentially other restricted operations. Only authenticated users with specific permissions are affected.

💻 Affected Systems

Products:

Frappe ERPNext

Versions: through 15.89.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Contract Template creation/modification permissions

📦 What is this software?

Erpnext by Frappe

View all CVEs affecting Erpnext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive business data, financial records, and PII leakage through arbitrary SQL execution via frappe.db.sql

🟠

Likely Case

Targeted data exfiltration from specific database tables by authenticated malicious insiders or compromised accounts

🟢

If Mitigated

Limited impact due to proper access controls, monitoring, and network segmentation restricting database access

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once permissions are obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.90.0 or later

Vendor Advisory: https://github.com/frappe/frappe/security/advisories

Restart Required: Yes

Instructions:

1. Update Frappe framework to latest version
2. Update ERPNext to version 15.90.0 or later
3. Restart the application server
4. Verify the patch is applied

🔧 Temporary Workarounds

Restrict Contract Template Permissions

all

Temporarily remove Contract Template creation/modification permissions from all non-essential users

Input Validation Filter

all

Add custom validation to sanitize contract_terms field before processing

🧯 If You Can't Patch

Implement strict access controls to Contract Template functionality
Deploy WAF rules to detect and block SSTI patterns in contract_terms field

🔍 How to Verify

Check if Vulnerable:

Check if Frappe version is 15.89.0 or earlier and verify Contract Template permissions exist

Check Version:

bench version

Verify Fix Applied:

Confirm Frappe version is 15.90.0 or later and test SSTI payloads are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from contract template rendering
Multiple failed template rendering attempts
Suspicious Jinja2 syntax in contract_terms field

Network Indicators:

Unusual database connection patterns from application server
Large data exfiltration from database

SIEM Query:

source="frappe.log" AND ("contract_terms" OR "render_template") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2025-66435

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-94

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: December 15, 2025

Last Updated: December 23, 2025

🔗 References

https://iamanc.github.io/post/erpnext-ssti-bug-2 Exploit,Third Party Advisory
https://www.notion.so/SSTI-bug-2-239e6086eadc80878e8fcc7b6c26a584?source=copy_link Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66435, you might also want to check these: