CVE-2025-66437 – This CVE describes a Server-Side Template Injec... (How to Fix)

Q: What is the severity of CVE-2025-66437?

CVE-2025-66437 has a CVSS score of 8.8 (HIGH). This CVE describes a Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext that allows authenticated attackers with Address Template permissions to execute arbitrary Jinja expressions. This can lead to server-side code execution or database information disclosure. The vulnerability affects all ERPNext instances through version 15.89.0.

📋 TL;DR

This CVE describes a Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext that allows authenticated attackers with Address Template permissions to execute arbitrary Jinja expressions. This can lead to server-side code execution or database information disclosure. The vulnerability affects all ERPNext instances through version 15.89.0.

💻 Affected Systems

Products:

Frappe ERPNext

Versions: through 15.89.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with permission to create/modify Address Templates.

📦 What is this software?

Erpnext by Frappe

View all CVEs affecting Erpnext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data exfiltration, ransomware deployment, or complete system takeover via remote code execution.

🟠

Likely Case

Database information disclosure including sensitive business data, customer information, and potentially credential extraction.

🟢

If Mitigated

Limited impact if proper authentication controls and template validation are in place, but still significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and specific permissions, but detailed technical analysis is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.90.0 or later

Vendor Advisory: https://github.com/frappe/frappe/security/advisories

Restart Required: Yes

Instructions:

1. Update Frappe ERPNext to version 15.90.0 or later. 2. Restart the application server. 3. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Restrict Address Template Permissions

all

Limit which users can create or modify Address Templates to only trusted administrators.

Input Validation for Template Fields

all

Implement strict validation on template field inputs to block Jinja expression injection.

🧯 If You Can't Patch

Implement strict access controls to limit who can create or modify Address Templates.
Deploy a WAF with rules to detect and block SSTI payloads in template fields.

🔍 How to Verify

Check if Vulnerable:

Check if ERPNext version is 15.89.0 or earlier and if users have Address Template modification permissions.

Check Version:

bench version

Verify Fix Applied:

Verify ERPNext version is 15.90.0 or later and test that Jinja expressions in Address Templates are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual template modifications
Multiple failed template validation attempts
Suspicious API calls to get_address_display

Network Indicators:

Unusual patterns in template-related API traffic
Payloads containing Jinja expressions in POST requests

SIEM Query:

source="erpnext" AND (event="template_modification" OR api_call="get_address_display") AND payload CONTAINS "{{%"

📊 Metadata

CVE ID: CVE-2025-66437

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.1% exploit probability (27.1th percentile)

Published: December 15, 2025

Last Updated: January 5, 2026

🔗 References

https://iamanc.github.io/post/erpnext-ssti-bug-4 Exploit,Third Party Advisory
https://www.notion.so/SSTI-bug-4-239e6086eadc80aa9331fba874c674a5?source=copy_link Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66437, you might also want to check these: