CVE-2025-1686
Description
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.pebbletemplates:pebbleMaven | <= 3.2.3 | — |
Affected products
6- cpe:2.3:a:pebbletemplates:pebble_templates:*:*:*:*:*:*:*:*Range: <4.1.0
- osv-coords5 versionspkg:apk/chainguard/dependency-trackpkg:apk/chainguard/dependency-track-bundledpkg:apk/wolfi/dependency-trackpkg:apk/wolfi/dependency-track-bundledpkg:maven/io.pebbletemplates/pebble
< 4.13.5-r0+ 4 more
- (no CPE)range: < 4.13.5-r0
- (no CPE)range: < 4.13.5-r0
- (no CPE)range: < 4.13.5-r0
- (no CPE)range: < 4.13.5-r0
- (no CPE)range: <= 3.2.3
Patches
Vulnerability mechanics
References
9- github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d0baaee329nvdPatchWEB
- github.com/PebbleTemplates/pebble/pull/715nvdIssue TrackingPatchWEB
- security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594nvdExploitThird Party AdvisoryWEB
- github.com/PebbleTemplates/pebble/issues/688nvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-p75g-cxfj-7wrxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1686ghsaADVISORY
- github.com/JLLeitschuh/security-research/security/advisories/GHSA-p75g-cxfj-7wrxghsaWEB
- github.com/PebbleTemplates/pebble/issues/680nvdIssue TrackingWEB
- pebbletemplates.io/wiki/tag/includenvdProductWEB
News mentions
0No linked articles in our index yet.