Karl.Fail

CVE-2025-23211: Critical SSTI to Remote Code Execution in Tandoor Recipes

Written by

Karl

in

on

(Last update:

)

Overview

CVE-2025-23211 is a critical vulnerability affecting Tandoor Recipes, an open-source application used for managing recipes, meal planning, and shopping lists. The flaw allows server-side template injection (SSTI) via Jinja2, potentially leading to full remote code execution. Versions prior to 1.5.24 are affected.

What is SSTI?

Server-Side Template Injection (SSTI) occurs when user-supplied input is insecurely embedded into server-side templates, allowing attackers to inject and execute malicious code. This vulnerability is especially dangerous when using powerful template engines like Jinja2 in Python, which can expose system functions.

This vulnerability is categorized under CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine. In this case, untrusted input is passed to Jinja2 without proper sanitization, enabling the injection of arbitrary commands into rendered templates.

Technical Impact

The issue allows any authenticated user to execute code on the server. In deployments using the provided Docker Compose setup, such execution occurs with root privileges, significantly increasing the severity of the flaw.

Severity and CVSS Score

This vulnerability has been rated as CRITICAL with a CVSS v3.1 base score of 10.0:

  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector: Network
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Impact: Complete compromise of confidentiality, integrity, and availability

Exploitation and Risk

According to CISA’s SSVC enrichment, exploitation has been demonstrated in proof-of-concept form. While automation is not currently a factor, the technical impact is considered total, indicating full control over the server is possible.

Mitigation

To remediate this vulnerability:

  • Upgrade Tandoor Recipes to version 1.5.24 or later
  • Restrict template rendering to sanitized, trusted inputs only
  • Review access control policies to minimize user privileges
  • Consider deploying the application with non-root containers

References

Due to the nature of SSTI and the use of Jinja2, this vulnerability should be treated as a top priority for remediation.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


More posts