ghsa-m49c-g9wr-hv6v
Vulnerability from github
Published
2025-09-17 19:56
Modified
2025-09-22 16:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
jinjava has Sandbox Bypass via JavaType-Based Deserialization
Details

Summary

jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass(), and block instantiation of Class objects. However, these protections can be bypassed.

By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals.

As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE).

Details

jinjava templates expose a built-in variable ____int3rpr3t3r____, which provides direct access to the jinjavaInterpreter instance. This variable was previously abused and protections were added to prevent call method from JinjavaInterpreter instances (see Add interpreter to blacklist). However, interacting with the properties of JinjavaInterpreter instances remains unrestricted.

From ____int3rpr3t3r____, it is possible to traverse to the config field, which exposes an ObjectMapper. By invoking readValue(String content, JavaType valueType) on this ObjectMapper, an attacker can instantiate arbitrary classes specified via JavaType.

Although jinjava explicitly restricts dangerous classes such as Class, ClassLoader, and so on inside JinjavaBeanELResolver, the JavaType class itself is not restricted.

As a result, an attacker can leverage JavaType construction (constructFromCanonical) to instantiate semi-arbitrary classes without directly calling restricted methods.

This allows sandbox escape and the creation of powerful primitives.

Impact

Escape the Jinjava sandbox and instantiate a wide range of classes using JavaType. This capability can be used to read arbitrary files and to perform full read SSRF by creating network-related objects. In certain environments, depending on the available classes, this primitive can even lead to complete remote code execution.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.hubspot.jinjava:jinjava"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-17T19:56:21Z",
    "nvd_published_at": "2025-09-17T20:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\njinjava\u2019s current sandbox restrictions prevent direct access to dangerous methods such as `getClass()`, and block instantiation of Class objects. However, these protections can be bypassed.\n\nBy using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals.\n\nAs a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE).\n\n### Details\n\njinjava templates expose a built-in variable `____int3rpr3t3r____`, which provides direct access to the jinjavaInterpreter instance.\nThis variable was previously abused and protections were added to prevent call method from `JinjavaInterpreter` instances (see [Add interpreter to blacklist](https://github.com/HubSpot/jinjava/commit/1b9aaa4b420c58b4a301cf4b7d26207f1c8d1165)).\nHowever, interacting with the properties of `JinjavaInterpreter` instances remains [unrestricted](https://github.com/HubSpot/jinjava/blob/jinjava-2.8.0/src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java#L80-L84).\n\nFrom `____int3rpr3t3r____`, it is possible to traverse to the `config` field, which exposes an ObjectMapper. By invoking `readValue(String content, JavaType valueType)` on this ObjectMapper, an attacker can instantiate arbitrary classes specified via `JavaType`.\n\nAlthough jinjava explicitly restricts dangerous classes such as `Class`, `ClassLoader`, and so on inside `JinjavaBeanELResolver`, the `JavaType` class itself is [not restricted](https://github.com/HubSpot/jinjava/blob/jinjava-2.8.0/src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java#L246-L262). \n\nAs a result, an attacker can leverage `JavaType` construction (`constructFromCanonical`) to instantiate semi-arbitrary classes without directly calling restricted methods.\n\nThis allows sandbox escape and the creation of powerful primitives. \n\n### Impact\nEscape the Jinjava sandbox and instantiate a wide range of classes using JavaType.\nThis capability can be used to read arbitrary files and to perform full read SSRF by creating network-related objects.\nIn certain environments, depending on the available classes, this primitive can even lead to complete remote code execution.",
  "id": "GHSA-m49c-g9wr-hv6v",
  "modified": "2025-09-22T16:16:42Z",
  "published": "2025-09-17T19:56:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HubSpot/jinjava/security/advisories/GHSA-m49c-g9wr-hv6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59340"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HubSpot/jinjava/commit/66df351e7e8ad71ca04dcacb4b65782af820b8b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HubSpot/jinjava"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jinjava has Sandbox Bypass via JavaType-Based Deserialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.