Vulnerability Details CVE-2025-1686
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.
Workaround
This vulnerability can be mitigated by disabling the include macro in Pebble Templates:
java
new PebbleEngine.Builder()
.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
.disallowedTokenParserTags(List.of("include"))
.build())
.build();
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 49.1%
CVSS Severity
CVSS v3 Score 6.8
References
- https://github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d0baaee329
- https://github.com/PebbleTemplates/pebble/issues/680
- https://github.com/PebbleTemplates/pebble/issues/688
- https://pebbletemplates.io/wiki/tag/include
- https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
- https://github.com/PebbleTemplates/pebble/pull/715
- https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
Products affected by CVE-2025-1686
-
cpe:2.3:a:pebbletemplates:pebble:*