Pebble External File Path via include tag (CVE-2025-1686)
CVE-2025-1686 Published on February 27, 2025
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
Vulnerability Analysis
CVE-2025-1686 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-1686. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.
Products Associated with CVE-2025-1686
Want to know whenever a new CVE is published for Pebbletemplates Pebble? stack.watch will email you.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-1686
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.pebbletemplates:pebble | <= 3.2.3 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.