VYPR
Unrated severityOSV Advisory· Published Dec 15, 2025· Updated Dec 17, 2025

CVE-2025-66435

CVE-2025-66435

Description

An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Contract Template can inject arbitrary Jinja expressions into the contract_terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Frappe/ErpnextOSV2 versions
    4.0.0, 4.0.0-beta1, v10.0.0, …+ 1 more
    • (no CPE)range: 4.0.0, 4.0.0-beta1, v10.0.0, …
    • (no CPE)range: <=15.89.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.