Frappe Framework ERPNext Sandbox Escape Vulnerability Allowing Remote Code Execution

A sandbox escape vulnerability allowing remote code execution has been identified in Frappe Framework ERPNext version 13.4.0. This vulnerability arises from improper restrictions in the RestrictedPython library, which is used to control the execution of server scripts. Authenticated users with the System Manager role can exploit this vulnerability by creating a server script that accesses the gi_frame attribute to traverse the call stack and execute arbitrary system commands via os.popen.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with the System Manager role can create a server script through the /app/server-script endpoint. The script must be crafted to exploit frame introspection by accessing the gi_frame attribute, traversing the call stack, and invoking os.popen to execute system commands. Once the script is executed, the payload can be delivered through the API method created on the server script.