CVE-2025-66435 is a Server-Side Template Injection vulnerability found in the get_contract_template method of Frappe ERPNext versions through 15.89.0. The vulnerability arises because the function renders user-supplied Jinja2 templates (specifically the contract_terms field) using frappe.render_template() with a user-controlled context (doc). Although Frappe employs a custom SandboxedEnvironment intended to restrict template execution, it still exposes dangerous global functions such as frappe.db.sql through get_safe_globals(), which attackers can leverage. An authenticated attacker with permissions to create or modify Contract Templates can inject arbitrary Jinja expressions, resulting in server-side code execution within the template rendering environment. This execution context, while restricted, is unsafe enough to allow attackers to perform unauthorized database queries and leak sensitive information. The vulnerability does not directly allow modification or deletion of data, nor does it affect system availability, but it compromises confidentiality by exposing database contents. Exploitation requires authentication with at least contract template modification privileges, no user interaction is needed, and the attack complexity is low due to the direct injection vector. No public exploits are known at this time, but the presence of dangerous globals in the template environment represents a significant security design flaw. The vulnerability is tracked under CWE-1336 (Improper Neutralization of Input During Template Processing).

For European organizations using Frappe ERPNext, this vulnerability poses a risk of unauthorized disclosure of sensitive business data stored in the ERP system's database. Since ERPNext is often used for managing contracts, financials, and other critical business processes, leakage of contract details or internal data could lead to competitive disadvantage, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The vulnerability requires authenticated access with specific privileges, so insider threats or compromised user accounts are the most likely exploitation vectors. While the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can be significant, especially for organizations handling sensitive contracts or personal data. European companies in sectors such as finance, manufacturing, and professional services that rely on ERPNext for contract management are particularly at risk. The medium CVSS score reflects the limited scope of impact but should not lead to complacency given the potential for data leakage and compliance issues.

To mitigate CVE-2025-66435, organizations should first upgrade Frappe ERPNext to a version where this vulnerability is patched once available. Until a patch is released, restrict access to contract template creation and modification functions to only the most trusted and necessary users to reduce the attack surface. Implement strict role-based access controls (RBAC) and monitor logs for unusual template changes or suspicious activity related to contract templates. Consider applying additional input validation or sanitization on the contract_terms field to prevent injection of malicious Jinja expressions. If possible, disable or limit the availability of dangerous globals such as frappe.db.sql in the template rendering environment by customizing the sandbox configuration. Conduct regular audits of user privileges and enforce strong authentication mechanisms to prevent account compromise. Finally, monitor for any indicators of compromise or attempts to exploit this vulnerability and prepare an incident response plan focused on data leakage scenarios.