CVE-2025-59340
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-59340
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59340.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-59340
- Aliases
- Published
- 2025-09-17T20:01:55Z
- Modified
- 2025-11-11T19:39:20.903572Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- jinjava Sandbox Bypass via JavaType-Based Deserialization
- Details
-
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
- Database specific
{ "cwe_ids": [ "CWE-1336" ] }- References
Affected packages
Git / github.com/hubspot/jinjava
Affected ranges
- Type
- GIT
- Repo
- https://github.com/hubspot/jinjava
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
jinjava-1.*
jinjava-1.0.0
jinjava-1.0.1
jinjava-1.0.2
jinjava-1.0.3
jinjava-1.0.4
jinjava-1.0.5
jinjava-1.0.6
jinjava-1.0.7
jinjava-1.0.8
jinjava-1.0.9
jinjava-2.*
jinjava-2.0.0
jinjava-2.0.1
jinjava-2.0.2
jinjava-2.0.3
jinjava-2.0.4
jinjava-2.0.5
jinjava-2.5.10
jinjava-2.5.3
jinjava-2.5.4
jinjava-2.5.5
jinjava-2.5.6
jinjava-2.5.7
jinjava-2.5.8
jinjava-2.6.0
jinjava-2.7.0
jinjava-2.7.1
jinjava-2.7.2
jinjava-2.7.3
jinjava-2.7.4
jinjava-2.8.0