CVE-2025-66437 is a critical Server-Side Template Injection vulnerability found in the get_address_display method of Frappe ERPNext versions through 15.89.0. The vulnerability stems from the way address templates are rendered using frappe.render_template() with a context derived from the address_dict parameter. This parameter can be a dictionary or a string referencing an Address document. Although ERPNext employs a custom Jinja2 SandboxedEnvironment to limit template capabilities, the sandbox is insufficient because it exposes dangerous functions such as frappe.db.sql through get_safe_globals(). An attacker who is authenticated and has the permission to create or modify Address Templates can inject malicious Jinja expressions into the template field. By creating an Address document with a specific country and invoking the get_address_display API with address_dict="address_name", the malicious template is rendered server-side with attacker-controlled data. This leads to arbitrary server-side code execution or unauthorized disclosure of sensitive database information. The vulnerability requires authentication and specific permissions, limiting exploitation to insiders or compromised accounts. No public exploits are known yet, and no CVSS score has been assigned. However, the potential for remote code execution and data leakage makes this a severe threat. ERPNext is widely used in enterprise resource planning, making this a significant risk for organizations relying on it for business operations.

For European organizations, the impact of CVE-2025-66437 can be severe. Exploitation can lead to unauthorized server-side code execution, allowing attackers to execute arbitrary commands, potentially leading to full system compromise. Additionally, attackers can extract sensitive database information, including customer data, financial records, and internal business information, violating data protection regulations such as GDPR. The requirement for authentication and specific permissions reduces the risk of external attackers but raises concerns about insider threats or compromised accounts. Organizations using ERPNext for critical business functions may face operational disruptions, data breaches, and reputational damage. The breach of confidentiality and integrity of data could also lead to regulatory penalties and loss of customer trust. Given ERPNext's role in managing enterprise data, the vulnerability poses a high risk to availability if attackers execute destructive commands or disrupt services.

To mitigate this vulnerability, European organizations should immediately audit and restrict permissions related to creating or modifying Address Templates, ensuring only trusted administrators have access. Implement strict access controls and monitor for unusual template modifications. Until an official patch is released, consider disabling or restricting the get_address_display API if feasible. Review existing address templates for suspicious or complex Jinja expressions that could indicate exploitation attempts. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block malicious template injection patterns. Educate administrators about the risks of template injection and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. Once patches are available from ERPNext, apply them promptly. Additionally, conduct regular security assessments and penetration tests focusing on template rendering components.