Skip to content

CVE-2025-1686#715

Merged
ebussieres merged 7 commits into
masterfrom
CVE-2025-1686
Dec 11, 2025
Merged

CVE-2025-1686#715
ebussieres merged 7 commits into
masterfrom
CVE-2025-1686

Conversation

@ebussieres

@ebussieres ebussieres commented Nov 23, 2025
edited
Loading

Copy link
Copy Markdown
Member

Fixes: #688 #689

  1. Remove FileLoader by default in PebbleEngine. Only ClasspathLoader will be used by default now
  2. Modify the FileLoader and add a mandatory baseDirectory parameter.
  3. Protect from path traversal

@ebussieres ebussieres added this to the 4.0.1 milestone Nov 23, 2025
@ebussieres ebussieres mentioned this pull request Nov 23, 2025
Closed
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 5 times, most recently from 7989332 to 5fc9897 Compare November 23, 2025 15:31
@ebussieres ebussieres marked this pull request as draft November 23, 2025 18:10
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 4 times, most recently from 7a58105 to c073576 Compare November 25, 2025 17:42
@ebussieres ebussieres mentioned this pull request Nov 26, 2025
Closed
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 4 times, most recently from 8625076 to f9e1898 Compare November 27, 2025 14:28
@ebussieres ebussieres marked this pull request as ready for review November 27, 2025 14:31
@ebussieres ebussieres changed the title chore: remove method getLiteralTemplate and use only a ClasspathLoade… CVE-2025-1686 Nov 27, 2025
@ebussieres ebussieres linked an issue Dec 7, 2025 that may be closed by this pull request
CVE-2025-1686 vulnerability #689
Closed
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 2 times, most recently from a08ce56 to e2e16fa Compare December 10, 2025 17:08
@ebussieres ebussieres enabled auto-merge (squash) December 11, 2025 18:41
@ebussieres ebussieres merged commit b3451c8 into master Dec 11, 2025
6 checks passed
@ebussieres ebussieres deleted the CVE-2025-1686 branch December 11, 2025 18:43
JLLeitschuh
JLLeitschuh reviewed Dec 15, 2025
View reviewed changes
Comment thread README.md
Comment thread pebble/src/main/java/io/pebbletemplates/pebble/loader/FileLoader.java
@JLLeitschuh

JLLeitschuh commented Dec 15, 2025

Copy link
Copy Markdown

Sorry for not leaving these comments earlier, something was broken in GitHub's mobile app when I was attempting to submit them

@ebussieres

ebussieres commented Dec 15, 2025
edited
Loading

Copy link
Copy Markdown
Member Author

@JLLeitschuh Don't know the procedure to flag the CVE as fixed ? Can you help me with that ?

@SWEYSWISSAS

SWEYSWISSAS commented Apr 16, 2026

Copy link
Copy Markdown

https://nvd.nist.gov/vuln/detail/CVE-2025-1686
Would be nice to have the nvd entry updated

@SWEYSWISSAS

SWEYSWISSAS commented May 5, 2026

Copy link
Copy Markdown

https://nvd.nist.gov/vuln/detail/CVE-2025-1686
It is nice that the description got updated. Somehow the CPE
cpe:2.3:a:pebbletemplates:pebble:::::::: is still showing that all versions are affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@JLLeitschuh JLLeitschuh JLLeitschuh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.1.0

3 participants

@ebussieres @JLLeitschuh @SWEYSWISSAS