CVE-2025-53833
CRITICAL10.0EPSS 20.8%LaRecipe is vulnerable to Server-Side Template Injection attacks
發布日:2025/7/14修改日:2025/7/28
描述
### Impact Attackers could: 1. Execute arbitrary commands on the server 2. Access sensitive environment variables 3. Escalate access depending on server configuration A critical vulnerability was discovered in LaRecipe that allows an attacker to perform Server-Side Template Injection (SSTI), potentially leading to Remote Code Execution (RCE) in vulnerable configurations. ### Patches Users are strongly advised to upgrade to version v2.8.1 or later. ### Credit We would like to thank **Roman Ananev** for responsibly identifying and reporting this vulnerability.
受影響套件(1)
- Packagist/binarytorch/larecipefrom 0, < 2.8.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53833
- PATCHhttps://github.com/saleem-hadad/larecipe
- WEBhttps://github.com/saleem-hadad/larecipe/commit/c1d0d56889655ce5f2645db5acf0e78d5fc3b36b
- WEBhttps://github.com/saleem-hadad/larecipe/pull/390
- WEBhttps://github.com/saleem-hadad/larecipe/security/advisories/GHSA-jv7x-xhv2-p5v2