CVE-2025-66436 is a critical Server-Side Template Injection vulnerability found in the get_terms_and_conditions method of Frappe ERPNext versions up to 15.89.0. The vulnerability stems from the method rendering Jinja2 templates that are attacker-controlled via the 'terms' field, using frappe.render_template() with a user-supplied context object 'doc'. Although Frappe employs a custom SandboxedEnvironment intended to restrict template execution, it still exposes dangerous global functions, notably frappe.db.sql, through get_safe_globals(). This exposure allows an authenticated attacker, who has permissions to create or modify Terms and Conditions documents, to inject arbitrary Jinja2 expressions. These expressions can execute server-side code within the template rendering context, which, while restricted, is still unsafe. The attacker can leverage this to perform unauthorized database queries, leading to sensitive data leakage. The vulnerability requires authentication and specific document modification privileges but does not require additional user interaction. No known exploits are reported in the wild yet, and no CVSS score has been assigned. However, the ability to execute server-side code and access database functions makes this a high-risk vulnerability. The lack of a patch link suggests that remediation may require updates from the vendor or manual mitigation steps. Organizations using ERPNext should review access controls, restrict permissions to modify Terms and Conditions documents, and monitor for suspicious template modifications.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of sensitive business data managed within ERPNext systems. Since ERPNext is widely used for enterprise resource planning, unauthorized database access could expose financial records, customer data, and operational details. The ability to execute server-side code could also lead to further system compromise, lateral movement, or data exfiltration. Organizations in sectors such as manufacturing, retail, and services that rely on ERPNext for critical business functions may face operational disruptions and regulatory compliance issues, especially under GDPR mandates concerning data protection. The requirement for authenticated access limits the attack surface but insider threats or compromised credentials could enable exploitation. Additionally, the absence of a patch increases the urgency for immediate mitigation. The impact extends to trust and reputation damage if sensitive information is leaked or systems are disrupted.

1. Immediately audit and restrict permissions to create or modify Terms and Conditions documents within ERPNext, limiting this capability to trusted administrators only. 2. Implement strict access controls and multi-factor authentication to reduce the risk of credential compromise. 3. Monitor logs for unusual template modifications or access patterns related to Terms and Conditions documents. 4. If possible, disable or restrict the use of dynamic template rendering features until a vendor patch is available. 5. Engage with the ERPNext vendor or community to obtain patches or updates addressing this vulnerability. 6. Consider deploying web application firewalls (WAF) with custom rules to detect and block suspicious Jinja2 template payloads. 7. Conduct internal security awareness training to highlight the risks of template injection and the importance of safeguarding administrative credentials. 8. Review and harden the custom SandboxedEnvironment configuration to remove or restrict dangerous globals like frappe.db.sql. 9. Perform regular security assessments and penetration tests focusing on template injection vectors. 10. Prepare incident response plans to quickly address potential exploitation scenarios.