CVE-2025-66437

An SSTI (Server-Side Template Injection) vulnerability exists in the getaddressdisplay method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.rendertemplate() with a context derived from the addressdict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via getsafeglobals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the getaddressdisplay API with addressdict="addressname", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.