cvelistv5 - cve-2025-1686

CVE-2025-1686 (GCVE-0-2025-1686)

Vulnerability from cvelistv5 – Published: 2025-02-27 05:00 – Updated: 2025-02-27 14:44

Summary

All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P

CWE

CWE-73 - External Control of File Name or Path

Assigner

snyk

References

URL

Tags

	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLET…
	https://github.com/PebbleTemplates/pebble/issues/680
	https://pebbletemplates.io/wiki/tag/include
	https://github.com/PebbleTemplates/pebble/issues/688

Impacted products

	Vendor	Product	Version
	n/a	io.pebbletemplates:pebble	Affected: 0 , < * (semver)

Credits

Jonathan Leitschuh

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1686",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T14:44:07.532280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-73",
                "description": "CWE-73 External Control of File Name or Path",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T14:44:57.552Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "io.pebbletemplates:pebble",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jonathan Leitschuh"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r                    .disallowedTokenParserTags(List.of(\"include\"))\r                    .build())\r            .build();"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P",
            "version": "3.1"
          },
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "External Control of File Name or Path",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-27T05:00:05.848Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
        },
        {
          "url": "https://github.com/PebbleTemplates/pebble/issues/680"
        },
        {
          "url": "https://pebbletemplates.io/wiki/tag/include"
        },
        {
          "url": "https://github.com/PebbleTemplates/pebble/issues/688"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2025-1686",
    "datePublished": "2025-02-27T05:00:05.848Z",
    "dateReserved": "2025-02-25T10:32:01.608Z",
    "dateUpdated": "2025-02-27T14:44:57.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1686\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2025-02-27T05:15:14.143\",\"lastModified\":\"2025-04-07T18:29:22.970\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\\r\\r Workaround\\r\\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\\r\\rjava\\rnew PebbleEngine.Builder()\\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\\r                    .disallowedTokenParserTags(List.of(\\\"include\\\"))\\r                    .build())\\r            .build();\"},{\"lang\":\"es\",\"value\":\"Todas las versiones del paquete io.pebbletemplates:pebble son vulnerables al control externo del nombre o la ruta de archivo a trav\u00e9s de la etiqueta include. Un atacante con privilegios elevados puede acceder a archivos locales confidenciales mediante la manipulaci\u00f3n de plantillas de notificaci\u00f3n maliciosas que aprovechen esta etiqueta para incluir archivos como /etc/passwd o /proc/1/environ. Soluci\u00f3n alternativa Esta vulnerabilidad se puede mitigar deshabilitando la macro include en las plantillas Pebble: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of(\\\"include\\\")) .build()) .build();\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pebbletemplates:pebble:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FFCA887-2A68-4039-B1BD-19EF231955B7\"}]}]}],\"references\":[{\"url\":\"https://github.com/PebbleTemplates/pebble/issues/680\",\"source\":\"report@snyk.io\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/PebbleTemplates/pebble/issues/688\",\"source\":\"report@snyk.io\",\"tags\":[\"Vendor Advisory\",\"Issue Tracking\"]},{\"url\":\"https://pebbletemplates.io/wiki/tag/include\",\"source\":\"report@snyk.io\",\"tags\":[\"Product\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"exploitCodeMaturity\": \"PROOF_OF_CONCEPT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P\"}, \"cvssV4_0\": {\"version\": \"4.0\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"exploitMaturity\": \"PROOF_OF_CONCEPT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P\"}}], \"credits\": [{\"value\": \"Jonathan Leitschuh\", \"lang\": \"en\"}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-73\", \"description\": \"External Control of File Name or Path\", \"lang\": \"en\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2025-02-27T05:00:05.848Z\"}, \"descriptions\": [{\"value\": \"All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\\r\\r Workaround\\r\\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\\r\\rjava\\rnew PebbleEngine.Builder()\\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\\r                    .disallowedTokenParserTags(List.of(\\\"include\\\"))\\r                    .build())\\r            .build();\", \"lang\": \"en\"}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\"}, {\"url\": \"https://github.com/PebbleTemplates/pebble/issues/680\"}, {\"url\": \"https://pebbletemplates.io/wiki/tag/include\"}, {\"url\": \"https://github.com/PebbleTemplates/pebble/issues/688\"}], \"affected\": [{\"product\": \"io.pebbletemplates:pebble\", \"versions\": [{\"version\": \"0\", \"lessThan\": \"*\", \"status\": \"affected\", \"versionType\": \"semver\"}], \"vendor\": \"n/a\"}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1686\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T14:44:07.532280Z\"}}}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\", \"tags\": [\"exploit\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73 External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T14:44:39.962Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1686\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"snyk\", \"dateReserved\": \"2025-02-25T10:32:01.608Z\", \"datePublished\": \"2025-02-27T05:00:05.848Z\", \"dateUpdated\": \"2025-02-27T14:44:57.552Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-1686

Vulnerability from fkie_nvd - Published: 2025-02-27 05:15 - Updated: 2025-04-07 18:29

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
report@snyk.io	https://github.com/PebbleTemplates/pebble/issues/680	Issue Tracking
report@snyk.io	https://github.com/PebbleTemplates/pebble/issues/688	Vendor Advisory, Issue Tracking
report@snyk.io	https://pebbletemplates.io/wiki/tag/include	Product
report@snyk.io	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594	Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	pebbletemplates	pebble	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pebbletemplates:pebble:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4FFCA887-2A68-4039-B1BD-19EF231955B7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r                    .disallowedTokenParserTags(List.of(\"include\"))\r                    .build())\r            .build();"
    },
    {
      "lang": "es",
      "value": "Todas las versiones del paquete io.pebbletemplates:pebble son vulnerables al control externo del nombre o la ruta de archivo a trav\u00e9s de la etiqueta include. Un atacante con privilegios elevados puede acceder a archivos locales confidenciales mediante la manipulaci\u00f3n de plantillas de notificaci\u00f3n maliciosas que aprovechen esta etiqueta para incluir archivos como /etc/passwd o /proc/1/environ. Soluci\u00f3n alternativa Esta vulnerabilidad se puede mitigar deshabilitando la macro include en las plantillas Pebble: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of(\"include\")) .build()) .build();"
    }
  ],
  "id": "CVE-2025-1686",
  "lastModified": "2025-04-07T18:29:22.970",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.0,
        "source": "report@snyk.io",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "report@snyk.io",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-27T05:15:14.143",
  "references": [
    {
      "source": "report@snyk.io",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/PebbleTemplates/pebble/issues/680"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Vendor Advisory",
        "Issue Tracking"
      ],
      "url": "https://github.com/PebbleTemplates/pebble/issues/688"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Product"
      ],
      "url": "https://pebbletemplates.io/wiki/tag/include"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
    }
  ],
  "sourceIdentifier": "report@snyk.io",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "report@snyk.io",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-P75G-CXFJ-7WRX

Vulnerability from github – Published: 2025-02-28 19:45 – Updated: 2025-02-28 19:45

Summary

Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro

Details

Summary

If untrusted user input is used to dynamically create a PebbleTemplate with the method PebbleEngine#getLiteralTemplate, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of PebbleTemplate#evaluate. This is done via the include macro.

Details

The include macro calls PebbleTempateImpl#resolveRelativePath with the relativePath argument passed within the template:

Example template:

{% include [relativePath] %}

When resolveRelativePath is called, the relativePath is resolved against the PebbleTemplateImpl.name variable.

  /**
   * This method resolves the given relative path based on this template file path.
   *
   * @param relativePath the path which should be resolved.
   * @return the resolved path.
   */
  public String resolveRelativePath(String relativePath) {
    String resolved = this.engine.getLoader().resolveRelativePath(relativePath, this.name);
    if (resolved == null) {
      return relativePath;
    } else {
      return resolved;
    }
  }

https://github.com/PebbleTemplates/pebble/blob/82ad7fcf9e9eaa45ee82ae3335a1409d19c10263/pebble/src/main/java/io/pebbletemplates/pebble/template/PebbleTemplateImpl.java#L380

Unfortunately, when the template is created from a string, as is the case when PebbleEngine#getLiteralTemplate is used, the PebbleTemplateImpl.name variable is actually the entirety of the contents of the template, not a filename as the logic expects. The net result is that the relativePath is resolved against the system root directory. As a result, files accessible from the root directory of the filesystem can be included into a template.

PoC

The following test demonstrates the vulnerability:

PebbleEngine e = new PebbleEngine.Builder().build();

String templateString = """
        {% include '/etc/passwd' %}
        """;
PebbleTemplate template = e.getLiteralTemplate(templateString);

try (final Writer writer = new StringWriter()) {
    template.evaluate(writer, new HashMap<>());
    System.out.println(writer);
}

As an attacker, the following malicious template demonstrates the vulnerability:

{% include '/etc/passwd' %}

Impact

This is an arbitrary Local File Inclusion (LFI) vulnerability. It can allow attackers to exfiltrate the contents of the local filesystem, including sensitive files into PebbleTemplate output. This can also be used to access the /proc filesystem which can give an attacker access to environment variables.

Fix

There exists no published fix for this vulnerability. The best way to mitigate this vulnerability is to disable the include macro in Pebble Templates.

The following can safeguard your application from this vulnerability:

new PebbleEngine.Builder()
            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
                    .disallowedTokenParserTags(List.of("include"))
                    .build())
            .build();

Report Timeline

Vulnerability was reported under the Open Source Security Foundation (OpenSSF) Model Outbound Vulnerability Disclosure Policy: Version 0.1.

Jul 15, 2024 Maintainer Contacted to enable private vulnerability reporting
Jul 18, 2024 I opened a GHSA to report this vulnerability to the maintainer https://github.com/PebbleTemplates/pebble/security/advisories/GHSA-7c6h-hmf9-7wj7 (private link)
Jul 29, 2024 GHSA updated to ping maintainer about vulnerability, no response
Oct 1, 2024 GHSA updated to ping maintainer about vulnerability, no response
Nov 15, 2024 GHSA updated to inform maintainer that disclosure timeline had lapsed, no response.
Feb 19, 2025 GHSA updated to inform maintainer that disclosure would occur imminently, no response.
Feb 24, 2025 this GHSA was created to disclose this vulnerability without a patch available.

For further discussion, see this issue: https://github.com/PebbleTemplates/pebble/issues/688

Credit

This vulnerability was discovered by @JLLeitschuh while at Chainguard Labs. Jonathan is currently independent.

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

7.0 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.pebbletemplates:pebble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-28T19:45:03Z",
    "nvd_published_at": "2025-02-27T05:15:14Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIf untrusted user input is used to dynamically create a `PebbleTemplate` with the method `PebbleEngine#getLiteralTemplate`, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of `PebbleTemplate#evaluate`. This is done via the `include` macro.\n\n### Details\n\nThe `include` macro calls `PebbleTempateImpl#resolveRelativePath` with the `relativePath` argument passed within the template:\n\nExample template:\n```\n{% include [relativePath] %}\n```\nWhen `resolveRelativePath` is called, the `relativePath`  is resolved against the `PebbleTemplateImpl.name` variable.\n\n```java\n  /**\n   * This method resolves the given relative path based on this template file path.\n   *\n   * @param relativePath the path which should be resolved.\n   * @return the resolved path.\n   */\n  public String resolveRelativePath(String relativePath) {\n    String resolved = this.engine.getLoader().resolveRelativePath(relativePath, this.name);\n    if (resolved == null) {\n      return relativePath;\n    } else {\n      return resolved;\n    }\n  }\n```\nhttps://github.com/PebbleTemplates/pebble/blob/82ad7fcf9e9eaa45ee82ae3335a1409d19c10263/pebble/src/main/java/io/pebbletemplates/pebble/template/PebbleTemplateImpl.java#L380\n\nUnfortunately, when the template is created from a string, as is the case when `PebbleEngine#getLiteralTemplate` is used, the `PebbleTemplateImpl.name` variable is actually the entirety of the contents of the template, not a filename as the logic expects. The net result is that the `relativePath` is resolved against the system root directory. As a result, files accessible from the root directory of the filesystem can be included into a template. \n\n### PoC\n\nThe following test demonstrates the vulnerability:\n\n```java\nPebbleEngine e = new PebbleEngine.Builder().build();\n\nString templateString = \"\"\"\n        {% include \u0027/etc/passwd\u0027 %}\n        \"\"\";\nPebbleTemplate template = e.getLiteralTemplate(templateString);\n\ntry (final Writer writer = new StringWriter()) {\n    template.evaluate(writer, new HashMap\u003c\u003e());\n    System.out.println(writer);\n}\n```\n\nAs an attacker, the following malicious template demonstrates the vulnerability:\n\n```\n{% include \u0027/etc/passwd\u0027 %}\n```\n\n### Impact\n\nThis is an arbitrary  Local File Inclusion (LFI) vulnerability. It can allow attackers to exfiltrate the contents of the local filesystem, including sensitive files into `PebbleTemplate` output. This can also be used to access the `/proc` filesystem which can give an attacker access to environment variables.\n\n### Fix\n\nThere exists no published fix for this vulnerability. The best way to mitigate this vulnerability is to disable the `include` macro in Pebble Templates.\n\nThe following can safeguard your application from this vulnerability:\n\n```java\nnew PebbleEngine.Builder()\n            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\n                    .disallowedTokenParserTags(List.of(\"include\"))\n                    .build())\n            .build();\n```\n\n### Report Timeline\n\nVulnerability was reported under the Open Source Security Foundation (OpenSSF) [Model Outbound Vulnerability Disclosure Policy: Version 0.1](https://openssf.org/about/vulnerability-disclosure-policy/).\n\n - [Jul 15, 2024](https://github.com/PebbleTemplates/pebble/issues/680#issue-2409727829) Maintainer Contacted to enable private vulnerability reporting\n - [Jul 18, 2024](https://github.com/PebbleTemplates/pebble/issues/680#issuecomment-2236970984) I opened a GHSA \n to report this vulnerability to the maintainer https://github.com/PebbleTemplates/pebble/security/advisories/GHSA-7c6h-hmf9-7wj7 (private link)\n - Jul 29, 2024 GHSA updated to ping maintainer about vulnerability, no response\n - Oct 1, 2024 GHSA updated to ping maintainer about vulnerability, no response\n - Nov 15, 2024 GHSA updated to inform maintainer that disclosure timeline had lapsed, no response.\n - Feb 19, 2025 GHSA updated to inform maintainer that disclosure would occur imminently, no response.\n - Feb 24, 2025 this GHSA was created to disclose this vulnerability **without a patch available**.\n\nFor further discussion, see this issue: https://github.com/PebbleTemplates/pebble/issues/688\n\n### Credit\n\nThis vulnerability was discovered by @JLLeitschuh while at [Chainguard Labs](https://www.chainguard.dev). Jonathan is currently independent.",
  "id": "GHSA-p75g-cxfj-7wrx",
  "modified": "2025-02-28T19:45:03Z",
  "published": "2025-02-28T19:45:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-p75g-cxfj-7wrx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PebbleTemplates/pebble/issues/680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PebbleTemplates/pebble/issues/688"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PebbleTemplates/pebble"
    },
    {
      "type": "WEB",
      "url": "https://pebbletemplates.io/wiki/tag/include"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-1686 (GCVE-0-2025-1686)

FKIE_CVE-2025-1686

GHSA-P75G-CXFJ-7WRX

Summary

Details

PoC

Impact

Fix

Report Timeline

Credit

Tags

Sightings

Nomenclature