# Dolibarr ERP & CRM 21.0.1 - Computed Field Remote Code Execution
**Affected product:** Dolibarr ERP & CRM 21.0.1
**Vulnerability type:** Remote Code Execution via computed field in User module extra fields configuration
**Patch:** https://github.com/Dolibarr/dolibarr/commit/b03f30c7e27fb89dbfb15902dbf4619ae77f0f86
## Summary
An authenticated administrator can create or modify a computed field in the User module whose evaluation during page rendering can lead to server-side code execution. The issue demonstrates a path that can bypass prior fixes for computed-field evaluation (including mitigations applied for CVE-2024-40137).
## Impact
- Code execution on the server (high severity).
- Requires an Administrator account on the application.
## Affected versions
- Confirmed affected: Dolibarr ERP & CRM 21.0.1.
- Suspected affected: Versions below 21.0.1 may also be affected (not independently verified).
## Technical description
The computed field feature for user extra fields evaluates administrator-defined expressions when views are rendered. Faulty handling of these evaluated expressions can be abused to execute code on the server during rendering. This vulnerability shows a bypass of previous patch for CVE-2024-40137.
## Timeline
- 2025-07-12 — Reported to vendor and MITRE.
- 2025-09-29 — CVE assigned.
- Patch committed: see link above.
## References
- Vendor: https://www.dolibarr.org
- Patch commit: https://github.com/Dolibarr/dolibarr/commit/b03f30c7e27fb89dbfb15902dbf4619ae77f0f86
[4.0K] /data/pocs/f4ac353f716f85c7bc2f6f9d3fa5c55226cb4d84
└── [1.5K] README.md
1 directory, 1 file