{"vulnerability": "GHSA-MGGX-P7JF-JGW4", "sightings": [{"uuid": "558df5df-4fd7-480b-8b0f-eb142f632ab1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-MGGX-P7JF-JGW4", "type": "seen", "source": "https://gist.github.com/alon710/9fc35b1e537c7d33fcc6512ec6181c7a", "content": "# GHSA-MGGX-P7JF-JGW4: GHSA-mggx-p7jf-jgw4: Remote Code Execution via FreeMarker Template Injection in Jdbi\n\n> **CVSS Score:** 7.7\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/GHSA-MGGX-P7JF-JGW4\n\n## Summary\nThe `jdbi3-freemarker` module in the Jdbi library contains an insecure default configuration that allows Remote Code Execution (RCE). The FreeMarker template engine is initialized without a restrictive class resolver, permitting attackers to execute arbitrary system commands via the `?new` directive when application input is unsafely concatenated into SQL templates. This vulnerability affects all versions up to 3.52.1 and is resolved in version 3.53.0.\n\n## TL;DR\nJdbi's FreeMarker module (<= 3.52.1) is vulnerable to RCE due to an unrestricted template class resolver. Attackers can leverage the `?new` directive to execute OS commands if user input reaches the template engine. Upgrading to 3.53.0 resolves the issue.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1336\n- **Attack Vector**: Network\n- **CVSS Score**: 7.7\n- **Impact**: Remote Code Execution (RCE)\n- **Exploit Status**: Proof of Concept Available\n- **Affected Component**: jdbi3-freemarker Template Initialization\n\n## Affected Systems\n\n- org.jdbi:jdbi3-freemarker <= 3.52.1\n- **jdbi3-freemarker**: <= 3.52.1 (Fixed in: `3.53.0`)\n\n## Mitigation\n\n- Upgrade to org.jdbi:jdbi3-freemarker version 3.53.0 or later.\n- Audit application source code for unsafe string concatenation prior to Jdbi query execution.\n- Ensure all user-supplied data is passed to Jdbi via parameter binding mechanisms rather than string interpolation.\n- If reflective instantiation is required via ?new, implement a strict allowlist using a custom TemplateClassResolver.\n\n**Remediation Steps:**\n1. Identify the current version of org.jdbi:jdbi3-freemarker in project dependency manifests (e.g., pom.xml, build.gradle).\n2. Update the version definition to 3.53.0.\n3. Recompile the application and execute integration tests to ensure no legitimate FreeMarker templates relied on the ?new built-in.\n4. Deploy the updated application to production environments.\n5. Review application source code calling Handle.createQuery(), createUpdate(), createCall(), createScript(), and Batch.add() for string concatenation.\n\n## References\n\n- [GitHub Security Advisory: GHSA-mggx-p7jf-jgw4](https://github.com/jdbi/jdbi/security/advisories/GHSA-mggx-p7jf-jgw4)\n- [Jdbi Repository](https://github.com/jdbi/jdbi)\n- [OSV Record: GHSA-mggx-p7jf-jgw4](https://osv.dev/vulnerability/GHSA-mggx-p7jf-jgw4)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-MGGX-P7JF-JGW4) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-06T07:10:29.000000Z"}]}