Description
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
References (6)
Core 6
Core References
Issue Tracking
https://github.com/PebbleTemplates/pebble/issues/680
Issue Tracking, Vendor Advisory
https://github.com/PebbleTemplates/pebble/issues/688
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
Issue Tracking
https://github.com/PebbleTemplates/pebble/pull/715
Scores
CVSS v3
6.8
EPSS
0.0078
EPSS Percentile
51.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-73
Status
published
Products (4)
None/io.pebbletemplates:pebble
< 4.1.0
io.pebbletemplates/pebble
0Maven
pebbletemplates/pebble
pebbletemplates/pebble_templates
< 4.1.0
Published
Feb 27, 2025
Tracked Since
Feb 18, 2026