CVE-2025-53833
CRITICAL10.0EPSS 20.8%LaRecipe is vulnerable to Server-Side Template Injection attacks
Published: 7/14/2025Modified: 7/28/2025
Description
### Impact Attackers could: 1. Execute arbitrary commands on the server 2. Access sensitive environment variables 3. Escalate access depending on server configuration A critical vulnerability was discovered in LaRecipe that allows an attacker to perform Server-Side Template Injection (SSTI), potentially leading to Remote Code Execution (RCE) in vulnerable configurations. ### Patches Users are strongly advised to upgrade to version v2.8.1 or later. ### Credit We would like to thank **Roman Ananev** for responsibly identifying and reporting this vulnerability.
Affected packages (1)
- Packagist/binarytorch/larecipefrom 0, < 2.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53833
- PATCHhttps://github.com/saleem-hadad/larecipe
- WEBhttps://github.com/saleem-hadad/larecipe/commit/c1d0d56889655ce5f2645db5acf0e78d5fc3b36b
- WEBhttps://github.com/saleem-hadad/larecipe/pull/390
- WEBhttps://github.com/saleem-hadad/larecipe/security/advisories/GHSA-jv7x-xhv2-p5v2