CVE-2025-1686

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions io.pebbletemplates:pebble versions (affected versions not specified)

Description The issue allows an attacker to control file names or paths via the include tag, potentially accessing sensitive local files like /etc/passwd or /proc/1/environ by crafting malicious notification templates.

Recommendations To mitigate this issue, disable the include macro in Pebble Templates by using the following Java code:

new PebbleEngine.Builder()
      .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
          .disallowedTokenParserTags(List.of("include"))
          .build())
      .build();

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73

Related Identifiers

CVE-2025-1686

GHSA-P75G-CXFJ-7WRX

Affected Products

Io.Pebbletemplates:Pebble

CVE-2025-1686

Weakness Enumeration

Related Identifiers

Affected Products

References · 15