ghsa-527q-4wqv-g9wj
Vulnerability from github
Published
2025-10-16 20:28
Modified
2025-10-16 21:54
Severity ?
5.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
Summary
bagisto has Server Side Template Injection (SSTI) in Product Description
Details

Summary

Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server.

Details

In Bagisto, product descriptions are rendered through Laravel’s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.

PoC

Create a product and enter the payload to the description. image Preview the page, observed that the template expressions were evaluated by the backend and displayed on the screen. image

Impact

RCE potential: Attackers can execute arbitrary PHP code or system commands. Data breach: Read sensitive environment variables (.env), API keys, or database credentials. Defacement / persistence: Inject malicious scripts or backdoors in dynamic templates. Privilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T20:28:35Z",
    "nvd_published_at": "2025-10-16T19:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nBagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server.\n\n### Details\nIn Bagisto, product descriptions are rendered through Laravel\u2019s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.\n\n### PoC\nCreate a product and enter the payload to the description.\n\u003cimg width=\"679\" height=\"669\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1e5dac3f-4043-4b31-98ed-f4346feb5477\" /\u003e\nPreview the page, observed that the template expressions were evaluated by the backend and displayed on the screen.\n\u003cimg width=\"1431\" height=\"922\" alt=\"image\" src=\"https://github.com/user-attachments/assets/16f29c6e-05f4-40c4-9926-0c59e0a979c2\" /\u003e\n\n\n### Impact\nRCE potential: Attackers can execute arbitrary PHP code or system commands.\nData breach: Read sensitive environment variables (.env), API keys, or database credentials.\nDefacement / persistence: Inject malicious scripts or backdoors in dynamic templates.\nPrivilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.",
  "id": "GHSA-527q-4wqv-g9wj",
  "modified": "2025-10-16T21:54:30Z",
  "published": "2025-10-16T20:28:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62416"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bagisto has Server Side Template Injection (SSTI) in Product Description"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.