CVE-2025-59340
jinjava Sandbox Bypass via JavaType-Based Deserialization
In short
jinjava template engine allows attackers to bypass security restrictions by tricking the system into creating arbitrary Java objects from user input, potentially enabling file theft or remote code execution.
Technical detail
CWE-1336 deserialization flaw in jinjava <2.8.1 allows unauthenticated remote attackers to invoke ObjectMapper.constructFromCanonical() with attacker-controlled canonical type names, instantiating restricted classes (e.g., java.net.URL) and escaping the sandbox without direct method invocation or class literal access. Exploitation enables local file access (file:// URIs) and potential RCE via gadget chaining.
Summary generated and translated by AI from the official description.
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
HubSpot · jinjavaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →