## Key Information ### Vulnerability Overview - **CVE ID**: CVE-2026-25526 - **Severity**: Critical - **Vulnerability Type**: Sandbox Bypass / Remote Code Execution - **Affected Package**: `com.hubspot.jinjava.jinjava` (Maven) - **Affected Versions**: - `>=2.8.0, <2.8.3` - `<2.7.6` - **Patched Versions**: - `2.8.3` or later - `2.7.6` or later ### Impact - **Affected Component**: Jinjava - **Affected Users**: - Organizations using HubSpot's Jinjava template rendering engine to process user-provided template content - Any system using HubSpot's Jinjava to render untrusted Jinja templates - Users who can create or edit custom code templates ### Severity and Attack Vector - **Severity**: Allows arbitrary Java class instantiation and file access, bypassing built-in sandbox restrictions - **CVSS Score**: 9.8 (Critical severity) - **Attack Vector**: Attackers who can create or edit Jinja templates can: - Access arbitrary getter methods of objects in the template context - Instantiate ObjectMapper to enable default typing - Create arbitrary Java classes by bypassing type allowlists - Read files from the server filesystem (e.g., `/etc/passwd`) - Potentially execute arbitrary code ### Patch and Remediation - **Status**: Patched - pending CVE release - **Upgrade Versions**: - JinJava 2.8.3 or later - JinJava 2.7.6 or later ### Fixed Components 1. **ForTag Security Hardening**: Added security checks in `ForTag.renderForCollection()` to enforce JinjavaBeanELResolver restrictions, etc. 2. **Enhanced Type Validation**: Improved validation mechanism in `JinjavaBeanELResolver.isRestrictedClass()`, etc. 3. **Configuration Protection**: Prevent creation of new JinjavaConfig or JinjavaELContext instances via ObjectMapper, etc. 4. **Collection Type Validation**: Implemented proper type validation in `HubELResolver`, etc. 5. **ObjectMapper Restrictions**: Added additional restrictions on `ObjectMapper.enableDefaultTyping()`, etc. ### References - **Project Resources**: - Source Code: [GitHub - HubSpot/jinjava](https://github.com/HubSpot/jinjava) - Released Versions: [GitHub - HubSpot/jinjava/releases](https://github.com/HubSpot/jinjava/releases) - **Security Standards and Classifications**: - CWE-502: Deserialization of Untrusted Data - CWE-913: Improper Control of Dynamic Code Resources - CWE-94: Improper Control of Code Generation (Code Injection) - CVSS v3.1: Common Vulnerability Scoring System - **Additional References**: - [OWASP Template Injection](https://owasp.org/www-community/attacks/Template_injection) - [Java Deserialization Security](https://github.com/HubSpot/jinjava/wiki/Java-Deserialization-Security) - [CVE Standards and Procedures](https://cve.mitre.org/cve/cve_form.html)