CVE-2025-66438 – This Server-Side Template Injection (SSTI) vuln... (How to Fix)

Q: What is the severity of CVE-2025-66438?

CVE-2025-66438 has a CVSS score of 8.8 (HIGH). This Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext allows authenticated attackers with Print Format creation/modification permissions to inject malicious Jinja expressions that execute database queries when Print Formats are rendered. This leads to sensitive database information disclosure including schema details and potentially sensitive data. All ERPNext instances up to version 15.89.0 are affected.

📋 TL;DR

This Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext allows authenticated attackers with Print Format creation/modification permissions to inject malicious Jinja expressions that execute database queries when Print Formats are rendered. This leads to sensitive database information disclosure including schema details and potentially sensitive data. All ERPNext instances up to version 15.89.0 are affected.

💻 Affected Systems

Products:

Frappe ERPNext

Versions: through 15.89.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Print Format creation/modification permissions. The vulnerability exists in the default configuration.

📦 What is this software?

Erpnext by Frappe

View all CVEs affecting Erpnext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of sensitive business data, user credentials, and potential privilege escalation through further exploitation of disclosed information.

🟠

Likely Case

Information disclosure of database schema, version details, and potentially sensitive business data from accessible tables.

🟢

If Mitigated

Limited impact with proper access controls restricting Print Format permissions to trusted users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has Print Format permissions. Public proof-of-concept demonstrates the attack flow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.90.0 or later

Vendor Advisory: https://github.com/frappe/frappe/security/advisories

Restart Required: Yes

Instructions:

1. Update Frappe framework to version 15.90.0 or later. 2. Update ERPNext to latest compatible version. 3. Restart the application server. 4. Verify the fix by checking version and testing Print Format functionality.

🔧 Temporary Workarounds

Restrict Print Format Permissions

all

Limit Print Format creation and modification permissions to only essential, trusted users.

Disable Print Format API

all

Temporarily disable the frappe.www.printview.get_html_and_style() API endpoint if not required.

🧯 If You Can't Patch

Implement strict access controls to limit Print Format permissions to minimal necessary users
Monitor and audit Print Format creation/modification activities for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check if ERPNext version is 15.89.0 or earlier. Review user permissions for Print Format creation/modification.

Check Version:

bench version

Verify Fix Applied:

Verify ERPNext version is 15.90.0 or later. Test Print Format rendering with safe templates.

📡 Detection & Monitoring

Log Indicators:

Unusual Print Format creation/modification by non-admin users
Multiple failed or unusual database queries from Print Format rendering

Network Indicators:

Unusual API calls to frappe.www.printview.get_html_and_style() endpoint

SIEM Query:

source="erpnext" AND (event="Print Format Created" OR event="Print Format Modified") AND user!="Administrator"

📊 Metadata

CVE ID: CVE-2025-66438

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.06% exploit probability (19th percentile)

Published: December 15, 2025

Last Updated: January 5, 2026

🔗 References

https://iamanc.github.io/post/erpnext-ssti-bug-5 Exploit,Third Party Advisory
https://www.notion.so/SSTI-bug-5-239e6086eadc80a48f17c1257a604d2c?source=copy_link Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66438, you might also want to check these: