CVE-2025-66434 is a critical Server-Side Template Injection (SSTI) vulnerability found in the get_dunning_letter_text method of Frappe ERPNext up to version 15.89.0. The vulnerability stems from the rendering of user-supplied Jinja2 templates (body_text) via the frappe.render_template() function, which uses a user-controlled context object (doc). Although Frappe attempts to sandbox the Jinja2 environment using a custom SandboxedEnvironment, it inadvertently exposes dangerous global functions such as frappe.db.sql through get_safe_globals(). This exposure allows an authenticated attacker, who has permissions to configure the Dunning Type and its associated Dunning Letter Text child table, to inject arbitrary Jinja2 expressions. These expressions can execute server-side code within the template rendering process, potentially leading to unauthorized database queries and leakage of sensitive information. The vulnerability requires authentication and specific configuration access, limiting the attack surface to users with elevated privileges. No public exploits are currently known, and no official patches or CVSS scores have been published as of the vulnerability's disclosure date. The lack of a CVSS score necessitates a severity assessment based on the potential impact and exploitation complexity.

For European organizations, this vulnerability poses a significant risk especially to those relying on Frappe ERPNext for enterprise resource planning and financial operations. Successful exploitation could lead to unauthorized disclosure of sensitive financial and customer data stored in the ERP system's database, undermining confidentiality. The ability to execute server-side code, even within a restricted context, could be leveraged to escalate privileges or pivot to other parts of the network, impacting integrity and availability. Organizations in sectors such as finance, manufacturing, and retail that heavily depend on ERPNext for critical business processes are particularly at risk. Data breaches resulting from this vulnerability could lead to regulatory penalties under GDPR due to exposure of personal data. Additionally, the requirement for authenticated access means insider threats or compromised credentials could facilitate exploitation, increasing the risk profile. The absence of known public exploits provides a window for mitigation but also indicates potential for targeted attacks once exploit code becomes available.

To mitigate this vulnerability, European organizations should immediately restrict access to the Dunning Type configuration and its child tables to only the most trusted and necessary personnel, minimizing the number of users who can inject malicious templates. Implement strict role-based access controls (RBAC) and audit all changes to these configurations. Organizations should monitor logs for unusual template rendering activity or database queries originating from the ERP system. Until an official patch is released, consider disabling or limiting the use of custom dunning letter templates if feasible. Review and harden the Jinja2 sandbox environment by removing or restricting dangerous globals such as frappe.db.sql from the template execution context. Conduct thorough code reviews and penetration testing focused on template injection vectors. Additionally, enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Stay updated with vendor advisories and apply patches promptly once available.