CVE-2025-62416 (GCVE-0-2025-62416)
Vulnerability from cvelistv5
Published
2025-10-16 18:32
Modified
2025-10-16 18:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.
References
{
"containers": {
"cna": {
"affected": [
{
"product": "bagisto",
"vendor": "bagisto",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:32:55.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj"
}
],
"source": {
"advisory": "GHSA-527q-4wqv-g9wj",
"discovery": "UNKNOWN"
},
"title": "bagisto - Server Side Template Injection (SSTI) in Product Description"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62416",
"datePublished": "2025-10-16T18:32:55.776Z",
"dateReserved": "2025-10-13T16:26:12.179Z",
"dateUpdated": "2025-10-16T18:32:55.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-62416\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-16T19:15:34.493\",\"lastModified\":\"2025-10-16T19:15:34.493\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.0,\"impactScore\":3.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-1336\"}]}],\"references\":[{\"url\":\"https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
fkie_cve-2025-62416
Vulnerability from fkie_nvd
Published
2025-10-16 19:15
Modified
2025-10-16 19:15
Severity ?
Summary
Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8."
}
],
"id": "CVE-2025-62416",
"lastModified": "2025-10-16T19:15:34.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-16T19:15:34.493",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
ghsa-527q-4wqv-g9wj
Vulnerability from github
Published
2025-10-16 20:28
Modified
2025-10-16 21:54
Severity ?
VLAI Severity ?
Summary
bagisto has Server Side Template Injection (SSTI) in Product Description
Details
Summary
Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server.
Details
In Bagisto, product descriptions are rendered through Laravel’s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.
PoC
Create a product and enter the payload to the description.
Preview the page, observed that the template expressions were evaluated by the backend and displayed on the screen.
Impact
RCE potential: Attackers can execute arbitrary PHP code or system commands. Data breach: Read sensitive environment variables (.env), API keys, or database credentials. Defacement / persistence: Inject malicious scripts or backdoors in dynamic templates. Privilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.7"
},
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62416"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T20:28:35Z",
"nvd_published_at": "2025-10-16T19:15:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nBagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server.\n\n### Details\nIn Bagisto, product descriptions are rendered through Laravel\u2019s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.\n\n### PoC\nCreate a product and enter the payload to the description.\n\u003cimg width=\"679\" height=\"669\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1e5dac3f-4043-4b31-98ed-f4346feb5477\" /\u003e\nPreview the page, observed that the template expressions were evaluated by the backend and displayed on the screen.\n\u003cimg width=\"1431\" height=\"922\" alt=\"image\" src=\"https://github.com/user-attachments/assets/16f29c6e-05f4-40c4-9926-0c59e0a979c2\" /\u003e\n\n\n### Impact\nRCE potential: Attackers can execute arbitrary PHP code or system commands.\nData breach: Read sensitive environment variables (.env), API keys, or database credentials.\nDefacement / persistence: Inject malicious scripts or backdoors in dynamic templates.\nPrivilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.",
"id": "GHSA-527q-4wqv-g9wj",
"modified": "2025-10-16T21:54:30Z",
"published": "2025-10-16T20:28:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62416"
},
{
"type": "PACKAGE",
"url": "https://github.com/bagisto/bagisto"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "bagisto has Server Side Template Injection (SSTI) in Product Description"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…