CVE-2025-66436
📋 TL;DR
An authenticated attacker with access to create or modify Terms and Conditions documents in Frappe ERPNext can inject malicious Jinja2 templates into the terms field, leading to server-side template injection. This allows execution of restricted but dangerous code that can leak database information. Only authenticated users with document modification privileges are affected.
💻 Affected Systems
- Frappe ERPNext
📦 What is this software?
Erpnext by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive business data, financial records, and user credentials through arbitrary SQL execution via frappe.db.sql.
Likely Case
Data exfiltration of database contents, privilege escalation by reading/modifying user records, and potential lateral movement within the ERP system.
If Mitigated
Limited impact if proper access controls restrict who can create/modify Terms and Conditions documents and if database permissions are properly segmented.
🎯 Exploit Status
Exploitation requires authentication and document modification privileges. The vulnerability is well-documented with technical details available in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.90.0 or later
Vendor Advisory: https://github.com/frappe/frappe/security/advisories
Restart Required: Yes
Instructions:
1. Update Frappe ERPNext to version 15.90.0 or later. 2. Restart the application server. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Restrict Document Permissions
allRemove create and modify permissions for Terms and Conditions documents from non-administrative users.
frappe --site [site_name] set-user-permission 'Terms and Conditions' [user] 0
Disable Terms and Conditions Module
allTemporarily disable or remove the Terms and Conditions functionality if not required.
frappe --site [site_name] disable-module 'Terms and Conditions'
🧯 If You Can't Patch
- Implement strict access controls to limit who can create or modify Terms and Conditions documents to only trusted administrators.
- Deploy a web application firewall (WAF) with rules to detect and block Jinja2 template injection patterns in POST requests.
🔍 How to Verify
Check if Vulnerable:
Check if your Frappe ERPNext version is 15.89.0 or earlier using bench version command.Check Version:
bench versionVerify Fix Applied:
Verify the version is 15.90.0 or later and test that Jinja2 expressions in Terms and Conditions documents are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from the frappe application user
- Multiple failed template rendering attempts
- Suspicious modifications to Terms and Conditions documents
Network Indicators:
- POST requests to /api/method/frappe.desk.form.save with Jinja2 template syntax in parameters
SIEM Query:
source="frappe.log" AND ("frappe.render_template" OR "Terms and Conditions") AND ("{{.*}}" OR "{% .* %}")