CVE-2023-54345 | THREATINT

Description

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands.

PUBLISHED Reserved 2026-01-10 | Published 2026-05-05 | Updated 2026-05-05 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Control of Generation of Code ('Code Injection')

Product status

13.4.0

affected

Credits

Sander Ferdinand finder

References

www.exploit-db.com/exploits/51580 (ExploitDB-51580) exploit

erpnext.org (Official Product Homepage) product

github.com/frappe/frappe/ (Product Reference) product

ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/ (Reference) third-party-advisory

gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6 (Source Code Repository) product

frappeframework.com/.../user/en/desk/scripting/server-script (Reference) third-party-advisory

github.com/.../frappe/blob/v13.4.0/frappe/utils/safe_exec.py (Source Code Repository) product

www.vulncheck.com/...framework-erpnext-remote-code-execution (VulnCheck Advisory: Frappe Framework ERPNext 13.4.0 Remote Code Execution) third-party-advisory

cve.org (CVE-2023-54345)

nvd.nist.gov (CVE-2023-54345)

Download JSON