CVE-2025-1686

Summary

Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via include macro

Description

Summary

If untrusted user input is used to dynamically create a PebbleTemplate with the method PebbleEngine#getLiteralTemplate, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of PebbleTemplate#evaluate. This is done via the include macro.

Details

The include macro calls PebbleTempateImpl#resolveRelativePath with the relativePath argument passed within the template:

Example template:

{% include [relativePath] %}

When resolveRelativePath is called, the relativePath is resolved against the PebbleTemplateImpl.name variable.

  /**
   * This method resolves the given relative path based on this template file path.
   *
   * @param relativePath the path which should be resolved.
   * @return the resolved path.
   */
  public String resolveRelativePath(String relativePath) {
    String resolved = this.engine.getLoader().resolveRelativePath(relativePath, this.name);
    if (resolved == null) {
      return relativePath;
    } else {
      return resolved;
    }
  }

https://github.com/PebbleTemplates/pebble/blob/82ad7fcf9e9eaa45ee82ae3335a1409d19c10263/pebble/src/main/java/io/pebbletemplates/pebble/template/PebbleTemplateImpl.java#L380

Unfortunately, when the template is created from a string, as is the case when PebbleEngine#getLiteralTemplate is used, the PebbleTemplateImpl.name variable is actually the entirety of the contents of the template, not a filename as the logic expects. The net result is that the relativePath is resolved against the system root directory. As a result, files accessible from the root directory of the filesystem can be included into a template.

PoC

The following test demonstrates the vulnerability:

PebbleEngine e = new PebbleEngine.Builder().build();

String templateString = """
        {% include '/etc/passwd' %}
        """;
PebbleTemplate template = e.getLiteralTemplate(templateString);

try (final Writer writer = new StringWriter()) {
    template.evaluate(writer, new HashMap<>());
    System.out.println(writer);
}

As an attacker, the following malicious template demonstrates the vulnerability:

{% include '/etc/passwd' %}

Impact

This is an arbitrary Local File Inclusion (LFI) vulnerability. It can allow attackers to exfiltrate the contents of the local filesystem, including sensitive files into PebbleTemplate output. This can also be used to access the /proc filesystem which can give an attacker access to environment variables.

Fix

There exists no published fix for this vulnerability. The best way to mitigate this vulnerability is to disable the include macro in Pebble Templates.

The following can safeguard your application from this vulnerability:

new PebbleEngine.Builder()
            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
                    .disallowedTokenParserTags(List.of("include"))
                    .build())
            .build();

Report Timeline

Vulnerability was reported under the Open Source Security Foundation (OpenSSF) Model Outbound Vulnerability Disclosure Policy: Version 0.1.

• Jul 15, 2024 Maintainer Contacted to enable private vulnerability reporting
• Jul 18, 2024 I opened a GHSA to report this vulnerability to the maintainer https://github.com/PebbleTemplates/pebble/security/advisories/GHSA-7c6h-hmf9-7wj7 (private link)
• Jul 29, 2024 GHSA updated to ping maintainer about vulnerability, no response
• Oct 1, 2024 GHSA updated to ping maintainer about vulnerability, no response
• Nov 15, 2024 GHSA updated to inform maintainer that disclosure timeline had lapsed, no response.
• Feb 19, 2025 GHSA updated to inform maintainer that disclosure would occur imminently, no response.
• Feb 24, 2025 this GHSA was created to disclose this vulnerability without a patch available.

For further discussion, see this issue: https://github.com/PebbleTemplates/pebble/issues/688

Credit

This vulnerability was discovered by @JLLeitschuh while at Chainguard Labs. Jonathan is currently independent.