Vulnerability Description
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pebbletemplates | Pebble | All versions |
Related Weaknesses (CWE)
References
- https://github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d
- https://github.com/PebbleTemplates/pebble/issues/680Issue Tracking
- https://github.com/PebbleTemplates/pebble/issues/688Issue TrackingVendor Advisory
- https://pebbletemplates.io/wiki/tag/includeProduct
- https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594ExploitThird Party Advisory
- https://github.com/PebbleTemplates/pebble/pull/715
- https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594ExploitThird Party Advisory
FAQ
What is CVE-2025-1686?
CVE-2025-1686 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive l...
How severe is CVE-2025-1686?
CVE-2025-1686 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-1686?
Check the references section above for vendor advisories and patch information. Affected products include: Pebbletemplates Pebble.