CVE-2025-53833

LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/saleem-hadad/larecipe/commit/c1d0d56889655ce5f2645db5acf0e78d5fc3b36b
https://github.com/saleem-hadad/larecipe/pull/390
https://github.com/saleem-hadad/larecipe/security/advisories/GHSA-jv7x-xhv2-p5v2

Configurations

No configuration.

History

15 Jul 2025, 13:14

Type	Values Removed	Values Added
Summary		(es) LaRecipe es una aplicación que permite a los usuarios crear documentación con Markdown dentro de una aplicación Laravel. Las versiones anteriores a la 2.8.1 son vulnerables a la inyección de plantillas del lado del servidor (SSTI), lo que podría provocar la ejecución remota de código (RCE) en configuraciones vulnerables. Los atacantes podrían ejecutar comandos arbitrarios en el servidor, acceder a variables de entorno sensibles o escalar el acceso según la configuración del servidor. Se recomienda encarecidamente a los usuarios actualizar a la versión 2.8.1 o posterior para recibir un parche.

14 Jul 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-14 23:15

Updated : 2025-07-15 13:14

NVD link : CVE-2025-53833

Mitre link : CVE-2025-53833

CVE.ORG link : CVE-2025-53833

JSON object : View

Products Affected

No product.

CWE

CWE-1336

{"id": "CVE-2025-53833", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2025-07-14T23:15:24.710", "references": [{"url": "https://github.com/saleem-hadad/larecipe/commit/c1d0d56889655ce5f2645db5acf0e78d5fc3b36b", "source": "security-advisories@github.com"}, {"url": "https://github.com/saleem-hadad/larecipe/pull/390", "source": "security-advisories@github.com"}, {"url": "https://github.com/saleem-hadad/larecipe/security/advisories/GHSA-jv7x-xhv2-p5v2", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch."}, {"lang": "es", "value": "LaRecipe es una aplicaci\u00f3n que permite a los usuarios crear documentaci\u00f3n con Markdown dentro de una aplicaci\u00f3n Laravel. Las versiones anteriores a la 2.8.1 son vulnerables a la inyecci\u00f3n de plantillas del lado del servidor (SSTI), lo que podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo (RCE) en configuraciones vulnerables. Los atacantes podr\u00edan ejecutar comandos arbitrarios en el servidor, acceder a variables de entorno sensibles o escalar el acceso seg\u00fan la configuraci\u00f3n del servidor. Se recomienda encarecidamente a los usuarios actualizar a la versi\u00f3n 2.8.1 o posterior para recibir un parche."}], "lastModified": "2025-07-15T13:14:24.053", "sourceIdentifier": "security-advisories@github.com"}