{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1686", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2025-02-25T10:32:01.608Z", "datePublished": "2025-02-27T05:00:05.848Z", "dateUpdated": "2026-04-19T07:54:57.303Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"}}], "credits": [{"value": "Jonathan Leitschuh", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "External Control of File Name or Path", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-04-19T07:54:57.303Z"}, "descriptions": [{"value": "Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r .disallowedTokenParserTags(List.of(\"include\"))\r .build())\r .build();", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"}, {"url": "https://github.com/PebbleTemplates/pebble/issues/680"}, {"url": "https://pebbletemplates.io/wiki/tag/include"}, {"url": "https://github.com/PebbleTemplates/pebble/issues/688"}, {"url": "https://github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d0baaee329"}], "affected": [{"product": "io.pebbletemplates:pebble", "versions": [{"version": "0", "lessThan": "4.1.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-73", "lang": "en", "description": "CWE-73 External Control of File Name or Path"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-27T14:44:07.532280Z", "id": "CVE-2025-1686", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T14:44:57.552Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-19T16:08:39.301Z"}, "references": [{"url": "https://github.com/PebbleTemplates/pebble/pull/715"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/PebbleTemplates/pebble/pull/715"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-19T16:08:39.301Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1686", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-27T14:44:07.532280Z"}}}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T14:44:39.962Z"}}], "cna": {"credits": [{"lang": "en", "value": "Jonathan Leitschuh"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "HIGH"}, "cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "io.pebbletemplates:pebble", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.0", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"}, {"url": "https://github.com/PebbleTemplates/pebble/issues/680"}, {"url": "https://pebbletemplates.io/wiki/tag/include"}, {"url": "https://github.com/PebbleTemplates/pebble/issues/688"}, {"url": "https://github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d0baaee329"}], "descriptions": [{"lang": "en", "value": "Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r .disallowedTokenParserTags(List.of(\"include\"))\r .build())\r .build();"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-04-19T07:54:57.303Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1686", "state": "PUBLISHED", "dateUpdated": "2026-04-19T07:54:57.303Z", "dateReserved": "2025-02-25T10:32:01.608Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2025-02-27T05:00:05.848Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pebbletemplates:pebble:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FFCA887-2A68-4039-B1BD-19EF231955B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\r\r Workaround\r\rThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\r\rjava\rnew PebbleEngine.Builder()\r .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\r .disallowedTokenParserTags(List.of(\"include\"))\r .build())\r .build();"}, {"lang": "es", "value": "Todas las versiones del paquete io.pebbletemplates:pebble son vulnerables al control externo del nombre o la ruta de archivo a trav\u00e9s de la etiqueta include. Un atacante con privilegios elevados puede acceder a archivos locales confidenciales mediante la manipulaci\u00f3n de plantillas de notificaci\u00f3n maliciosas que aprovechen esta etiqueta para incluir archivos como /etc/passwd o /proc/1/environ. Soluci\u00f3n alternativa Esta vulnerabilidad se puede mitigar deshabilitando la macro include en las plantillas Pebble: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of(\"include\")) .build()) .build();"}], "id": "CVE-2025-1686", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2025-02-27T05:15:14.143", "references": [{"source": "report@snyk.io", "url": "https://github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d0baaee329"}, {"source": "report@snyk.io", "tags": ["Issue Tracking"], "url": "https://github.com/PebbleTemplates/pebble/issues/680"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/PebbleTemplates/pebble/issues/688"}, {"source": "report@snyk.io", "tags": ["Product"], "url": "https://pebbletemplates.io/wiki/tag/include"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/PebbleTemplates/pebble/pull/715"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-73"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "io.pebbletemplates:pebble: Path Traversal Vulnerability in Pebble Templates", "id": "2348665", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348665"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-73", "details": ["All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.\nWorkaround\nThis vulnerability can be mitigated by disabling the include macro in Pebble Templates:\njava\nnew PebbleEngine.Builder()\n.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()\n.disallowedTokenParserTags(List.of(\"include\"))\n.build())\n.build();", "A flaw was found in Pebble Templates. This vulnerability allows high-privileged attackers to access sensitive local files via the include tag, enabling arbitrary file inclusion."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-1686", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Will not fix", "package_name": "pebble", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "pebble", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "pebble", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "pebble", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-02-27T05:00:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1686\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1686\nhttps://github.com/PebbleTemplates/pebble/issues/680\nhttps://github.com/PebbleTemplates/pebble/issues/688\nhttps://pebbletemplates.io/wiki/tag/include\nhttps://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T15:35:01.276700+00:00", "value": {"mitigation_remediation": ["Upgrade Pebble to version 4.1.0 or later to eliminate the include\u2011tag path traversal flaw.", "If upgrading is not feasible, disable the include tag by configuring the Pebble Engine with a DisallowExtensionCustomizerBuilder and listing \"include\" in the disallowed token parser tags.", "Restrict template sources to trusted directories and validate any external input before rendering to prevent malicious templates from gaining file inclusion capabilities."], "summary": {"action": "Patch or Disable", "impact": "Local file read via path traversal"}, "threat_synthesis": {"affected_systems": "Affected systems are applications that incorporate the Pebble library (io.pebbletemplates:pebble) in versions 0 and up to, but not including, 4.1.0. The vulnerable code resides in the include tag functionality of the Pebble Engine. Any deployment that utilizes the default engine or an unmodified custom engine may expose the flaw.", "description_and_impact": "The vulnerability in Pebble Templates arises from the ability of the include tag to resolve external file paths without properly sanitizing the input. An attacker who can supply or influence templated content can craft a malicious notification template that references arbitrary file paths such as /etc/passwd or /proc/1/environ. The result is that privileged application users gain read access to sensitive local files, exposing configuration data, credentials, or environment variables, potentially facilitating further compromise. This defect is classified as CWE\u201173, External Control of File Name or Path.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score of < 1% suggests a low probability of exploitation at the time of analysis, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is application\u2011level: an adversary must be able to supply or modify template content that the application renders. High\u2011privileged application execution is required to read sensitive local files, but once an attacker can inject a malicious template, the included file contents are returned in the rendered output, enabling data exfiltration."}}}}, "created": "2026-04-20T15:45:10.395224+00:00", "updated": "2026-04-20T15:45:10.395236+00:00", "vendors": []}