CVE-2025-1686

CVE-2025-1686 is a high-severity security vulnerability in io.pebbletemplates:pebble (maven), affecting versions <= 3.2.3. No fixed version is listed yet.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via include macro

If untrusted user input is used to dynamically create a PebbleTemplate with the method PebbleEngine#getLiteralTemplate, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of PebbleTemplate#evaluate. This is done via the include macro.

Details

The include macro calls PebbleTempateImpl#resolveRelativePath with the relativePath argument passed within the template:

Example template:

{% include [relativePath] %}

When resolveRelativePath is called, the relativePath is resolved against the PebbleTemplateImpl.name variable.

  /**
   * This method resolves the given relative path based on this template file path.
   *
   * @param relativePath the path which should be resolved.
   * @return the resolved path.
   */
  public String resolveRelativePath(String relativePath) {
    String resolved = this.engine.getLoader().resolveRelativePath(relativePath, this.name);
    if (resolved == null) {
      return relativePath;
    } else {
      return resolved;
    }
  }

https://github.com/PebbleTemplates/pebble/blob/82ad7fcf9e9eaa45ee82ae3335a1409d19c10263/pebble/src/main/java/io/pebbletemplates/pebble/template/PebbleTemplateImpl.java#L380

Unfortunately, when the template is created from a string, as is the case when PebbleEngine#getLiteralTemplate is used, the PebbleTemplateImpl.name variable is actually the entirety of the contents of the template, not a filename as the logic expects. The net result is that the relativePath is resolved against the system root directory. As a result, files accessible from the root directory of the filesystem can be included into a template.

PoC

The following test demonstrates the vulnerability:

PebbleEngine e = new PebbleEngine.Builder().build();

String templateString = """
        {% include '/etc/passwd' %}
        """;
PebbleTemplate template = e.getLiteralTemplate(templateString);

try (final Writer writer = new StringWriter()) {
    template.evaluate(writer, new HashMap<>());
    System.out.println(writer);
}

As an attacker, the following malicious template demonstrates the vulnerability:

{% include '/etc/passwd' %}

Report Timeline

Vulnerability was reported under the Open Source Security Foundation (OpenSSF) Model Outbound Vulnerability Disclosure Policy: Version 0.1.

  • Jul 15, 2024 Maintainer Contacted to enable private vulnerability reporting
  • Jul 18, 2024 I opened a GHSA
    to report this vulnerability to the maintainer https://github.com/PebbleTemplates/pebble/security/advisories/GHSA-7c6h-hmf9-7wj7 (private link)
  • Jul 29, 2024 GHSA updated to ping maintainer about vulnerability, no response
  • Oct 1, 2024 GHSA updated to ping maintainer about vulnerability, no response
  • Nov 15, 2024 GHSA updated to inform maintainer that disclosure timeline had lapsed, no response.
  • Feb 19, 2025 GHSA updated to inform maintainer that disclosure would occur imminently, no response.
  • Feb 24, 2025 this GHSA was created to disclose this vulnerability without a patch available.

For further discussion, see this issue: https://github.com/PebbleTemplates/pebble/issues/688

Credit

This vulnerability was discovered by @JLLeitschuh while at Chainguard Labs. Jonathan is currently independent.

Impact

This is an arbitrary Local File Inclusion (LFI) vulnerability. It can allow attackers to exfiltrate the contents of the local filesystem, including sensitive files into PebbleTemplate output. This can also be used to access the /proc filesystem which can give an attacker access to environment variables.

CVE-2025-1686 has a CVSS score of 6.8 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

io.pebbletemplates:pebble (<= 3.2.3)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

There exists no published fix for this vulnerability. The best way to mitigate this vulnerability is to disable the include macro in Pebble Templates.

The following can safeguard your application from this vulnerability:

new PebbleEngine.Builder()
            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
                    .disallowedTokenParserTags(List.of("include"))
                    .build())
            .build();

Frequently Asked Questions

  1. What is CVE-2025-1686? CVE-2025-1686 is a high-severity security vulnerability in io.pebbletemplates:pebble (maven), affecting versions <= 3.2.3. No fixed version is listed yet.
  2. How severe is CVE-2025-1686? CVE-2025-1686 has a CVSS score of 6.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of io.pebbletemplates:pebble are affected by CVE-2025-1686? io.pebbletemplates:pebble (maven) versions <= 3.2.3 is affected.
  4. Is there a fix for CVE-2025-1686? No fixed version is listed for CVE-2025-1686 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2025-1686 exploitable, and should I be worried? Whether CVE-2025-1686 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-1686 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

Other vulnerabilities in io.pebbletemplates:pebble

Stop the waste.
Protect your environment with Kodem.