jinjava Sandbox Bypass via JavaType-Based Deserialization
Description
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.hubspot.jinjava:jinjavaMaven | >= 2.8.0, < 2.8.1 | 2.8.1 |
com.hubspot.jinjava:jinjavaMaven | < 2.7.5 | 2.7.5 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/wso2ispkg:apk/chainguard/wso2is-compatpkg:apk/chainguard/wso2is-docpkg:maven/com.hubspot.jinjava/jinjava
< 7.2.0-r0+ 3 more
- (no CPE)range: < 7.2.0-r0
- (no CPE)range: < 7.2.0-r0
- (no CPE)range: < 7.2.0-r0
- (no CPE)range: >= 2.8.0, < 2.8.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-m49c-g9wr-hv6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59340ghsaADVISORY
- github.com/HubSpot/jinjava/commit/66df351e7e8ad71ca04dcacb4b65782af820b8b1ghsax_refsource_MISCWEB
- github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.5ghsaWEB
- github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.1ghsax_refsource_MISCWEB
- github.com/HubSpot/jinjava/security/advisories/GHSA-m49c-g9wr-hv6vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.