FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE
Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the string_render API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.8.0
Patches
Vulnerability mechanics
Root cause
"Twig templates are rendered without a sandbox, allowing injected expressions to access the full Twig environment, API context, and the application's dependency injection container."
Attack vector
An administrator with access to Twig template rendering features (email templates, mass mail campaigns, custom payment adapters, or the `string_render` API endpoint) injects arbitrary Twig expressions into a template string [ref_id=1]. Because Twig is configured without a sandbox and with `StringLoaderExtension` enabled, the injected expression can access API globals (`guest`, `admin`, `client`) and call `getDi()` on them to retrieve the full dependency injection container [ref_id=1]. From the DI container, the attacker can obtain the PDO object for arbitrary SQL, the Symfony FilesystemAdapter for cache poisoning, the password service for creating rogue accounts, and other services, ultimately achieving remote code execution on the host server [ref_id=1]. When chained with the authorization bypass in GHSA-78x5-c8gw-8279, the authentication requirement is eliminated, allowing unauthenticated remote attackers to reach the same SSTI vector [ref_id=1][ref_id=2].
Affected code
The vulnerability spans multiple files: `src/modules/System/Service.php` (renderString uses `$twig->createTemplate($tpl)` without sandbox restrictions), `src/modules/System/Api/Admin.php` (string_render endpoint passes user-supplied `_tpl` to renderString), `src/modules/Email/Service.php` (email templates rendered via `_parse` calling renderString), `src/di.php` (Twig configured without sandbox and with StringLoaderExtension), and `src/library/Api/Handler.php` / `src/library/Api/Abstract.php` (getDi() exposes the full DI container) [ref_id=1].
What the fix does
Version 0.8.0 patches the SSTI by applying sandbox restrictions to the Twig environment, preventing injected templates from accessing arbitrary objects and methods [ref_id=1]. The advisory does not provide a diff, but the fix ensures that `renderString()` and all callers (email templates, mass mail, custom payment adapters, `string_render` API) operate within a sandboxed Twig context, blocking access to `getDi()` and the dependency injection container [ref_id=1]. Additionally, the authorization bypass in GHSA-78x5-c8gw-8279 is fixed in the same release, closing the unauthenticated attack path [ref_id=2].
Preconditions
- authAttacker must be an authenticated administrator (or chain with GHSA-78x5-c8gw-8279 for unauthenticated access)
- inputAttacker must have access to a feature that renders Twig templates (email templates, mass mail campaigns, custom payment adapters, or the string_render API endpoint)
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jcmitrex_refsource_CONFIRM
- github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279mitrex_refsource_MISC
- www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rcemitrex_refsource_MISC
News mentions
0No linked articles in our index yet.