CVE-2025-66434 is a Server-Side Template Injection vulnerability found in the get_dunning_letter_text method of Frappe ERPNext versions through 15.89.0. The vulnerability stems from the method rendering Jinja2 templates using frappe.render_template() with a user-supplied context (doc). Although Frappe employs a custom SandboxedEnvironment intended to restrict template execution, it still exposes several dangerous global functions, including frappe.db.sql, through get_safe_globals(). This exposure allows an authenticated attacker who has permissions to configure the Dunning Type and its child table Dunning Letter Text to inject arbitrary Jinja2 expressions. These expressions can execute server-side code within the restricted environment, enabling actions such as arbitrary database queries, data exfiltration, and potentially full server compromise. The vulnerability requires authentication and specific configuration privileges but does not require additional user interaction. The CVSS 3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. No known public exploits have been reported yet, but the presence of dangerous globals in the template context makes exploitation feasible. The vulnerability is categorized under CWE-1336 (Improper Neutralization of Input During Template Processing), highlighting the risks of unsafe template rendering in web applications. ERPNext is widely used in enterprise resource planning, especially in finance and manufacturing sectors, making this vulnerability critical for organizations relying on this software.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of critical business data managed by ERPNext. Attackers with access to configure Dunning Types can execute arbitrary code on the server, potentially leading to unauthorized database queries, data leakage of sensitive financial and operational information, and disruption of ERP services. This can result in financial losses, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational downtime. Given ERPNext's role in managing invoicing, payments, and customer communications, exploitation could also damage customer trust and business reputation. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak internal access controls or compromised credentials. The lack of a patch at the time of disclosure increases exposure, necessitating immediate mitigation efforts. The vulnerability's impact is amplified in sectors with high reliance on ERP systems, such as manufacturing, retail, and finance, which are prevalent in Europe.

1. Immediately restrict access to the configuration of Dunning Types and the Dunning Letter Text child table to only the most trusted and necessary personnel. 2. Monitor and audit all changes to Dunning Type configurations and template content for suspicious activity. 3. Apply any official patches or updates from Frappe ERPNext as soon as they become available. 4. If patches are not yet available, consider temporarily disabling or limiting the functionality that allows editing of Dunning Letter Text templates. 5. Review and harden the template rendering environment by removing or restricting dangerous globals such as frappe.db.sql from the template context. 6. Implement strong authentication and authorization controls to prevent unauthorized access to configuration features. 7. Conduct internal penetration testing focusing on template injection vectors to identify any other similar vulnerabilities. 8. Educate administrators and developers about the risks of SSTI and safe template handling practices. 9. Employ network segmentation and monitoring to detect anomalous database queries or server-side code execution attempts. 10. Prepare incident response plans to quickly address potential exploitation scenarios.