CVE-2025-66438 is a severe Server-Side Template Injection vulnerability affecting the Frappe ERPNext platform through version 15.89.0. The flaw exists in the Print Format rendering process, specifically within the API frappe.www.printview.get_html_and_style(), which calls frappe.render_template(template, doc) via get_rendered_template(). Although ERPNext uses Jinja2's SandboxedEnvironment to limit template execution, it inadvertently exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An attacker with authenticated access and permission to create or modify Print Formats can inject malicious Jinja2 expressions into the html field of a Print Format document. Once saved, invoking the get_html_and_style() API with a target document triggers the rendering process, executing the injected template code. This enables the attacker to perform arbitrary SQL queries and extract sensitive database information, including database version, schema details, and confidential data stored in the database. The vulnerability leverages the combination of template injection and exposed database query functions, bypassing typical sandbox restrictions. Exploitation requires authentication but no further user interaction, making it a potent vector for insider threats or compromised accounts. The vulnerability is assigned a CVSS v3.1 score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, as well as its ease of exploitation once access is obtained. No patches or exploits in the wild are currently documented, but the risk is significant given ERPNext's widespread use in enterprise resource planning.

For European organizations using Frappe ERPNext, this vulnerability poses a critical risk. Successful exploitation can lead to unauthorized disclosure of sensitive business data, including financial records, supplier information, and internal configurations, which can severely damage confidentiality. Attackers might also manipulate or corrupt data, impacting integrity, and potentially disrupt ERP services, affecting availability. Given ERPNext's role in managing core business processes, such compromise could halt operations, cause regulatory compliance violations (e.g., GDPR breaches due to data exposure), and lead to financial losses and reputational damage. The requirement for authenticated access limits exposure to internal users or compromised credentials, but insider threats or phishing attacks could enable exploitation. Organizations in sectors with high reliance on ERP systems, such as manufacturing, retail, and logistics, are particularly vulnerable. The lack of known exploits in the wild provides a window for proactive mitigation, but the critical severity demands immediate attention.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict permissions related to Print Format creation and modification to the minimum necessary users, ideally limiting to trusted administrators. 2) Monitor and log all changes to Print Formats and API calls to frappe.www.printview.get_html_and_style() for suspicious activity. 3) Employ strong authentication mechanisms, including multi-factor authentication, to reduce risk of credential compromise. 4) Review and sanitize any existing Print Formats for injected or suspicious Jinja2 expressions. 5) Engage with ERPNext vendors or community to obtain patches or updates addressing this vulnerability as soon as they become available. 6) Consider implementing Web Application Firewalls (WAF) with custom rules to detect and block unusual template injection patterns in API requests. 7) Educate internal users about the risks of credential phishing and insider threats. 8) If feasible, isolate ERPNext instances in segmented network zones to limit lateral movement in case of compromise. These targeted actions go beyond generic advice by focusing on the specific attack vector and operational context of ERPNext deployments.