CVE-2025-23211
Published: 28 January 2025
Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.
Security Summary
CVE-2025-23211 is a Jinja2 Server-Side Template Injection (SSTI) vulnerability in Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists. The flaw, tied to CWE-1336 (Inequate Security Context for Template Evaluation Scope) and CWE-94 (Improper Control of Generation of Code), resides in the template rendering logic within the cookbook/helper/template_helper.py component. It affects versions prior to 1.5.24 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Any authenticated user (low privileges required) can exploit this vulnerability remotely over the network with low complexity and no user interaction. By injecting malicious Jinja2 templates, attackers achieve arbitrary command execution on the server. In deployments using the provided Docker Compose file, this executes with root privileges, enabling full control over the host system, including high-impact confidentiality, integrity, and availability violations with changed scope.
The GitHub security advisory (GHSA-r6rj-h75w-vj8v) and fixing commit (e6087d5129cc9d0c24278948872377e66c2a2c20) detail mitigation by patching the template_helper.py sanitization at line 95 in versions 1.5.24 and later. Security practitioners should upgrade immediately, review access controls for authenticated users, and audit Jinja2 usage in similar applications.
Details
- CWE(s)