CVE-2025-66435 is a critical Server-Side Template Injection (SSTI) vulnerability found in the get_contract_template method of Frappe ERPNext up to version 15.89.0. The vulnerability arises because the method renders user-supplied Jinja2 templates (specifically in the contract_terms field) using frappe.render_template() with a user-controlled context (doc). Although Frappe attempts to sandbox template execution via a custom SandboxedEnvironment, it inadvertently exposes dangerous global functions such as frappe.db.sql through get_safe_globals(). This exposure allows an authenticated attacker who can create or modify Contract Templates to inject arbitrary Jinja expressions that execute server-side code. The execution context is restricted but still unsafe, enabling attackers to perform unauthorized database queries and leak sensitive information. The vulnerability requires authentication and specific privileges, which limits exploitation to insiders or compromised accounts with template editing rights. No public exploits have been reported yet, and no official patches or CVSS scores are currently available. The vulnerability highlights the risks of improper sandboxing in template engines and the importance of tightly controlling template editing capabilities in ERP systems.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive business data managed within ERPNext systems. Successful exploitation can lead to unauthorized disclosure of database contents, including potentially sensitive contract information, customer data, and internal business logic. This could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. The requirement for authentication and specific privileges reduces the likelihood of external attackers exploiting this vulnerability directly but increases the risk from insider threats or compromised user accounts. Organizations with extensive use of ERPNext for contract management and those with less stringent internal access controls are particularly vulnerable. The ability to execute server-side code, even in a restricted context, could also be leveraged for further lateral movement or privilege escalation within the affected environment.

1. Immediately restrict permissions to create or modify Contract Templates to only the most trusted and necessary users. 2. Conduct a thorough audit of existing contract templates to detect and remove any suspicious or unauthorized Jinja2 expressions. 3. Monitor logs for unusual template rendering activity or database queries originating from template execution contexts. 4. Implement strict access controls and multi-factor authentication to reduce the risk of account compromise. 5. Follow Frappe ERPNext vendor channels closely for official patches or updates addressing this vulnerability and apply them promptly once available. 6. Consider implementing additional application-layer filtering or validation of template inputs to prevent injection of malicious expressions. 7. Educate developers and administrators about the risks of SSTI and the importance of secure template handling. 8. If feasible, isolate ERPNext instances handling sensitive data within segmented network zones to limit potential lateral movement.