CVE-2025-66438 is a Server-Side Template Injection vulnerability found in the Frappe ERPNext platform through version 15.89.0, specifically within the Print Format rendering mechanism. The vulnerability arises because the API frappe.www.printview.get_html_and_style() calls frappe.render_template(template, doc) to render the html field of a Print Format document. Although ERPNext uses Jinja2's SandboxedEnvironment to restrict template execution, it inadvertently exposes sensitive functions such as frappe.db.sql through the get_safe_globals() method. An attacker who is authenticated and has permission to create or modify Print Formats can inject arbitrary Jinja2 expressions into the html field. When the malicious Print Format is saved and the get_html_and_style() API is invoked with a target document (e.g., Supplier or Sales Invoice), the rendering process executes the injected template code. This allows the attacker to perform unauthorized database queries and extract sensitive information such as database version, schema details, or confidential data stored in the database. The attack flow involves creating a Print Format containing the SSTI payload, saving it, and then triggering the rendering API to execute the payload. The vulnerability does not require user interaction beyond API calls but does require authenticated access with specific permissions. No patches or CVSS scores are currently available, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient sandboxing and exposure of sensitive functions within template engines in web applications.

For European organizations using Frappe ERPNext, this vulnerability can lead to significant confidentiality breaches by exposing sensitive business data, including financial records, supplier information, and internal database schemas. The integrity of data may also be at risk if attackers leverage the vulnerability to craft further attacks or pivot within the environment. Given ERPNext's role in managing enterprise resource planning functions, such data leakage could disrupt business operations, damage reputations, and lead to regulatory non-compliance, especially under GDPR requirements for data protection. The requirement for authenticated access limits the attack surface but insider threats or compromised credentials could enable exploitation. The absence of known public exploits reduces immediate risk, but the vulnerability's presence in a widely used ERP system means that targeted attacks could emerge. Organizations relying heavily on ERPNext for critical workflows are particularly vulnerable to operational disruptions and data loss.

European organizations should immediately review and restrict permissions related to Print Format creation and modification to trusted administrators only. Implement strict access controls and monitor for unusual activity involving the get_html_and_style() API or Print Format changes. Apply principle of least privilege to limit authenticated users who can create or edit Print Formats. Until an official patch is released, consider disabling or restricting access to the vulnerable API endpoints where feasible. Conduct thorough code reviews and audits of custom Print Formats to detect injected or suspicious Jinja2 expressions. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block SSTI payload patterns. Regularly update ERPNext to the latest versions once patches become available. Additionally, enhance logging and alerting around template rendering and database query executions to detect exploitation attempts early. Educate administrators about the risks of SSTI and enforce strong authentication mechanisms to reduce the risk of credential compromise.