cvelistv5 - cve-2025-1686

cve-2025-1686

Vulnerability from cvelistv5

Published

2025-02-27 05:00

Modified

2025-02-27 14:44

Severity ?

4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P

Summary

All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

References

▼	URL	Tags
	report@snyk.io	https://github.com/PebbleTemplates/pebble/issues/680
	report@snyk.io	https://github.com/PebbleTemplates/pebble/issues/688
	report@snyk.io	https://pebbletemplates.io/wiki/tag/include
	report@snyk.io	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594

Impacted products

	Vendor	Product	Version
	n/a	io.pebbletemplates:pebble	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1686",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T14:44:07.532280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-73",
                "description": "CWE-73 External Control of File Name or Path",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T14:44:57.552Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "io.pebbletemplates:pebble",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jonathan Leitschuh"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r                    .disallowedTokenParserTags(List.of(\"include\"))\r                    .build())\r            .build();"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P",
            "version": "3.1"
          },
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "External Control of File Name or Path",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-27T05:00:05.848Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
        },
        {
          "url": "https://github.com/PebbleTemplates/pebble/issues/680"
        },
        {
          "url": "https://pebbletemplates.io/wiki/tag/include"
        },
        {
          "url": "https://github.com/PebbleTemplates/pebble/issues/688"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2025-1686",
    "datePublished": "2025-02-27T05:00:05.848Z",
    "dateReserved": "2025-02-25T10:32:01.608Z",
    "dateUpdated": "2025-02-27T14:44:57.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1686\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2025-02-27T05:15:14.143\",\"lastModified\":\"2025-02-27T15:15:40.940\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\\r\\r Workaround\\r\\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\\r\\rjava\\rnew PebbleEngine.Builder()\\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\\r                    .disallowedTokenParserTags(List.of(\\\"include\\\"))\\r                    .build())\\r            .build();\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://github.com/PebbleTemplates/pebble/issues/680\",\"source\":\"report@snyk.io\"},{\"url\":\"https://github.com/PebbleTemplates/pebble/issues/688\",\"source\":\"report@snyk.io\"},{\"url\":\"https://pebbletemplates.io/wiki/tag/include\",\"source\":\"report@snyk.io\"},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\",\"source\":\"report@snyk.io\"},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"exploitCodeMaturity\": \"PROOF_OF_CONCEPT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P\"}, \"cvssV4_0\": {\"version\": \"4.0\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"exploitMaturity\": \"PROOF_OF_CONCEPT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P\"}}], \"credits\": [{\"value\": \"Jonathan Leitschuh\", \"lang\": \"en\"}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-73\", \"description\": \"External Control of File Name or Path\", \"lang\": \"en\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2025-02-27T05:00:05.848Z\"}, \"descriptions\": [{\"value\": \"All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\\r\\r Workaround\\r\\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\\r\\rjava\\rnew PebbleEngine.Builder()\\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\\r                    .disallowedTokenParserTags(List.of(\\\"include\\\"))\\r                    .build())\\r            .build();\", \"lang\": \"en\"}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\"}, {\"url\": \"https://github.com/PebbleTemplates/pebble/issues/680\"}, {\"url\": \"https://pebbletemplates.io/wiki/tag/include\"}, {\"url\": \"https://github.com/PebbleTemplates/pebble/issues/688\"}], \"affected\": [{\"product\": \"io.pebbletemplates:pebble\", \"versions\": [{\"version\": \"0\", \"lessThan\": \"*\", \"status\": \"affected\", \"versionType\": \"semver\"}], \"vendor\": \"n/a\"}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1686\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T14:44:07.532280Z\"}}}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594\", \"tags\": [\"exploit\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73 External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T14:44:39.962Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1686\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"snyk\", \"dateReserved\": \"2025-02-25T10:32:01.608Z\", \"datePublished\": \"2025-02-27T05:00:05.848Z\", \"dateUpdated\": \"2025-02-27T14:44:57.552Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-p75g-cxfj-7wrx

Vulnerability from github

Published

2025-02-28 19:45

Modified

2025-02-28 19:45

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:N/SA:N

Summary

Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro

Details

Summary

If untrusted user input is used to dynamically create a PebbleTemplate with the method PebbleEngine#getLiteralTemplate, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of PebbleTemplate#evaluate. This is done via the include macro.

Details

The include macro calls PebbleTempateImpl#resolveRelativePath with the relativePath argument passed within the template:

Example template: {% include [relativePath] %} When resolveRelativePath is called, the relativePath is resolved against the PebbleTemplateImpl.name variable.

java /** * This method resolves the given relative path based on this template file path. * * @param relativePath the path which should be resolved. * @return the resolved path. */ public String resolveRelativePath(String relativePath) { String resolved = this.engine.getLoader().resolveRelativePath(relativePath, this.name); if (resolved == null) { return relativePath; } else { return resolved; } } https://github.com/PebbleTemplates/pebble/blob/82ad7fcf9e9eaa45ee82ae3335a1409d19c10263/pebble/src/main/java/io/pebbletemplates/pebble/template/PebbleTemplateImpl.java#L380

Unfortunately, when the template is created from a string, as is the case when PebbleEngine#getLiteralTemplate is used, the PebbleTemplateImpl.name variable is actually the entirety of the contents of the template, not a filename as the logic expects. The net result is that the relativePath is resolved against the system root directory. As a result, files accessible from the root directory of the filesystem can be included into a template.

PoC

The following test demonstrates the vulnerability:

```java PebbleEngine e = new PebbleEngine.Builder().build();

String templateString = """ {% include '/etc/passwd' %} """; PebbleTemplate template = e.getLiteralTemplate(templateString);

try (final Writer writer = new StringWriter()) { template.evaluate(writer, new HashMap<>()); System.out.println(writer); } ```

As an attacker, the following malicious template demonstrates the vulnerability:

{% include '/etc/passwd' %}

Impact

This is an arbitrary Local File Inclusion (LFI) vulnerability. It can allow attackers to exfiltrate the contents of the local filesystem, including sensitive files into PebbleTemplate output. This can also be used to access the /proc filesystem which can give an attacker access to environment variables.

Fix

There exists no published fix for this vulnerability. The best way to mitigate this vulnerability is to disable the include macro in Pebble Templates.

The following can safeguard your application from this vulnerability:

java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

Report Timeline

Vulnerability was reported under the Open Source Security Foundation (OpenSSF) Model Outbound Vulnerability Disclosure Policy: Version 0.1.

Jul 15, 2024 Maintainer Contacted to enable private vulnerability reporting
Jul 18, 2024 I opened a GHSA to report this vulnerability to the maintainer https://github.com/PebbleTemplates/pebble/security/advisories/GHSA-7c6h-hmf9-7wj7 (private link)
Jul 29, 2024 GHSA updated to ping maintainer about vulnerability, no response
Oct 1, 2024 GHSA updated to ping maintainer about vulnerability, no response
Nov 15, 2024 GHSA updated to inform maintainer that disclosure timeline had lapsed, no response.
Feb 19, 2025 GHSA updated to inform maintainer that disclosure would occur imminently, no response.
Feb 24, 2025 this GHSA was created to disclose this vulnerability without a patch available.

For further discussion, see this issue: https://github.com/PebbleTemplates/pebble/issues/688

Credit

This vulnerability was discovered by @JLLeitschuh while at Chainguard Labs. Jonathan is currently independent.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.pebbletemplates:pebble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-28T19:45:03Z",
    "nvd_published_at": "2025-02-27T05:15:14Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIf untrusted user input is used to dynamically create a `PebbleTemplate` with the method `PebbleEngine#getLiteralTemplate`, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of `PebbleTemplate#evaluate`. This is done via the `include` macro.\n\n### Details\n\nThe `include` macro calls `PebbleTempateImpl#resolveRelativePath` with the `relativePath` argument passed within the template:\n\nExample template:\n```\n{% include [relativePath] %}\n```\nWhen `resolveRelativePath` is called, the `relativePath`  is resolved against the `PebbleTemplateImpl.name` variable.\n\n```java\n  /**\n   * This method resolves the given relative path based on this template file path.\n   *\n   * @param relativePath the path which should be resolved.\n   * @return the resolved path.\n   */\n  public String resolveRelativePath(String relativePath) {\n    String resolved = this.engine.getLoader().resolveRelativePath(relativePath, this.name);\n    if (resolved == null) {\n      return relativePath;\n    } else {\n      return resolved;\n    }\n  }\n```\nhttps://github.com/PebbleTemplates/pebble/blob/82ad7fcf9e9eaa45ee82ae3335a1409d19c10263/pebble/src/main/java/io/pebbletemplates/pebble/template/PebbleTemplateImpl.java#L380\n\nUnfortunately, when the template is created from a string, as is the case when `PebbleEngine#getLiteralTemplate` is used, the `PebbleTemplateImpl.name` variable is actually the entirety of the contents of the template, not a filename as the logic expects. The net result is that the `relativePath` is resolved against the system root directory. As a result, files accessible from the root directory of the filesystem can be included into a template. \n\n### PoC\n\nThe following test demonstrates the vulnerability:\n\n```java\nPebbleEngine e = new PebbleEngine.Builder().build();\n\nString templateString = \"\"\"\n        {% include \u0027/etc/passwd\u0027 %}\n        \"\"\";\nPebbleTemplate template = e.getLiteralTemplate(templateString);\n\ntry (final Writer writer = new StringWriter()) {\n    template.evaluate(writer, new HashMap\u003c\u003e());\n    System.out.println(writer);\n}\n```\n\nAs an attacker, the following malicious template demonstrates the vulnerability:\n\n```\n{% include \u0027/etc/passwd\u0027 %}\n```\n\n### Impact\n\nThis is an arbitrary  Local File Inclusion (LFI) vulnerability. It can allow attackers to exfiltrate the contents of the local filesystem, including sensitive files into `PebbleTemplate` output. This can also be used to access the `/proc` filesystem which can give an attacker access to environment variables.\n\n### Fix\n\nThere exists no published fix for this vulnerability. The best way to mitigate this vulnerability is to disable the `include` macro in Pebble Templates.\n\nThe following can safeguard your application from this vulnerability:\n\n```java\nnew PebbleEngine.Builder()\n            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\n                    .disallowedTokenParserTags(List.of(\"include\"))\n                    .build())\n            .build();\n```\n\n### Report Timeline\n\nVulnerability was reported under the Open Source Security Foundation (OpenSSF) [Model Outbound Vulnerability Disclosure Policy: Version 0.1](https://openssf.org/about/vulnerability-disclosure-policy/).\n\n - [Jul 15, 2024](https://github.com/PebbleTemplates/pebble/issues/680#issue-2409727829) Maintainer Contacted to enable private vulnerability reporting\n - [Jul 18, 2024](https://github.com/PebbleTemplates/pebble/issues/680#issuecomment-2236970984) I opened a GHSA \n to report this vulnerability to the maintainer https://github.com/PebbleTemplates/pebble/security/advisories/GHSA-7c6h-hmf9-7wj7 (private link)\n - Jul 29, 2024 GHSA updated to ping maintainer about vulnerability, no response\n - Oct 1, 2024 GHSA updated to ping maintainer about vulnerability, no response\n - Nov 15, 2024 GHSA updated to inform maintainer that disclosure timeline had lapsed, no response.\n - Feb 19, 2025 GHSA updated to inform maintainer that disclosure would occur imminently, no response.\n - Feb 24, 2025 this GHSA was created to disclose this vulnerability **without a patch available**.\n\nFor further discussion, see this issue: https://github.com/PebbleTemplates/pebble/issues/688\n\n### Credit\n\nThis vulnerability was discovered by @JLLeitschuh while at [Chainguard Labs](https://www.chainguard.dev). Jonathan is currently independent.",
  "id": "GHSA-p75g-cxfj-7wrx",
  "modified": "2025-02-28T19:45:03Z",
  "published": "2025-02-28T19:45:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-p75g-cxfj-7wrx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PebbleTemplates/pebble/issues/680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PebbleTemplates/pebble/issues/688"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PebbleTemplates/pebble"
    },
    {
      "type": "WEB",
      "url": "https://pebbletemplates.io/wiki/tag/include"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro"
}

fkie_cve-2025-1686

Vulnerability from fkie_nvd

Published

2025-02-27 05:15

Modified

2025-02-27 15:15

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Summary

References

▼	URL	Tags
	report@snyk.io	https://github.com/PebbleTemplates/pebble/issues/680
	report@snyk.io	https://github.com/PebbleTemplates/pebble/issues/688
	report@snyk.io	https://pebbletemplates.io/wiki/tag/include
	report@snyk.io	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r                    .disallowedTokenParserTags(List.of(\"include\"))\r                    .build())\r            .build();"
    },
    {
      "lang": "es",
      "value": "Todas las versiones del paquete io.pebbletemplates:pebble son vulnerables al control externo del nombre o la ruta de archivo a trav\u00e9s de la etiqueta include. Un atacante con privilegios elevados puede acceder a archivos locales confidenciales mediante la manipulaci\u00f3n de plantillas de notificaci\u00f3n maliciosas que aprovechen esta etiqueta para incluir archivos como /etc/passwd o /proc/1/environ. Soluci\u00f3n alternativa Esta vulnerabilidad se puede mitigar deshabilitando la macro include en las plantillas Pebble: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of(\"include\")) .build()) .build();"
    }
  ],
  "id": "CVE-2025-1686",
  "lastModified": "2025-02-27T15:15:40.940",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.0,
        "source": "report@snyk.io",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "report@snyk.io",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-27T05:15:14.143",
  "references": [
    {
      "source": "report@snyk.io",
      "url": "https://github.com/PebbleTemplates/pebble/issues/680"
    },
    {
      "source": "report@snyk.io",
      "url": "https://github.com/PebbleTemplates/pebble/issues/688"
    },
    {
      "source": "report@snyk.io",
      "url": "https://pebbletemplates.io/wiki/tag/include"
    },
    {
      "source": "report@snyk.io",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"
    }
  ],
  "sourceIdentifier": "report@snyk.io",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "report@snyk.io",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2025-1686

Vulnerability from cvelistv5

ghsa-p75g-cxfj-7wrx

Vulnerability from github

Summary

Details

PoC

Impact

Fix

Report Timeline

Credit

fkie_cve-2025-1686

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature