GHSA-527q-4wqv-g9wj

Source

https://github.com/advisories/GHSA-527q-4wqv-g9wj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-527q-4wqv-g9wj/GHSA-527q-4wqv-g9wj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-527q-4wqv-g9wj

Aliases

CVE-2025-62416

Published

2025-10-16T20:28:35Z

Modified

2025-10-16T21:57:51.475466Z

Severity

5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

bagisto has Server Side Template Injection (SSTI) in Product Description

Details

Summary

Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server.

Details

In Bagisto, product descriptions are rendered through Laravel’s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.

PoC

Create a product and enter the payload to the description. <img width="679" height="669" alt="image" src="https://github.com/user-attachments/assets/1e5dac3f-4043-4b31-98ed-f4346feb5477" /> Preview the page, observed that the template expressions were evaluated by the backend and displayed on the screen. <img width="1431" height="922" alt="image" src="https://github.com/user-attachments/assets/16f29c6e-05f4-40c4-9926-0c59e0a979c2" />

Impact

RCE potential: Attackers can execute arbitrary PHP code or system commands. Data breach: Read sensitive environment variables (.env), API keys, or database credentials. Defacement / persistence: Inject malicious scripts or backdoors in dynamic templates. Privilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T20:28:35Z",
    "severity": "MODERATE",
    "nvd_published_at": "2025-10-16T19:15:34Z",
    "cwe_ids": [
        "CWE-1336",
        "CWE-94"
    ]
}

References

Affected packages

Packagist / bagisto/bagisto

Package

Name: bagisto/bagisto
Purl: pkg:composer/bagisto/bagisto

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.8

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4-BETA1

v0.1.4-BETA2

v0.1.4-BETA3

v0.1.4-BETA4

v0.1.4

v0.1.5

v0.1.6-ALPHA1

v0.1.6

v0.1.7-BETA1

v0.1.7-BETA2

v0.1.7

v0.1.8

v0.1.9-BETA1

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v1.*

v1.0.0-BETA1

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0-BETA1

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.1

v2.*

v2.0.0-BETA-1

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.2.10

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-527q-4wqv-g9wj/GHSA-527q-4wqv-g9wj.json"

last_known_affected_version_range

"<= 2.3.7"