Summary
fief-server Server-Side Template Injection vulnerability
Server-Side Template Injection
Overview of the Vulnerability
Server-Side Template Injection (SSTI) is a vulnerability within application templating engines where user input is improperly handled and is embedded into the template, possibly leading code being executed.
An attacker can use SSTI to execute code on the underlying system by manipulating values within the embedded template. When code is executed within the underlying system, it can allow an attacker to run permissioned commands under the exploited process, or exploit Cross-Site Scripting (XSS) to run code within the user's browser.
Business Impact
SSTI can lead to reputational damage for the business due to a loss in confidence and trust by users. If an attacker successfully executes code within the underlying system, it can result in data theft and indirect financial losses.
Steps to Reproduce
- Sign up and login to your account
- Use a browser to navigate to: email-templates {{URL}}
- put your payload in Edit Base template
{{ cycler.__init__.__globals__.os.popen('id').read() }}and you will se it will execute.
Payload:{{ cycler.__init__.__globals__.os.popen('id').read() }}
Proof of Concept (PoC)
The screenshot(s) below demonstrates the SSTI:
Impact
GHSA-HJ8M-9FHF-V7JP has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.25.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-HJ8M-9FHF-V7JP? GHSA-HJ8M-9FHF-V7JP is a critical-severity security vulnerability in fief-server (pip), affecting versions >= 0.19.0, < 0.25.3. It is fixed in 0.25.3.
- How severe is GHSA-HJ8M-9FHF-V7JP? GHSA-HJ8M-9FHF-V7JP has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of fief-server are affected by GHSA-HJ8M-9FHF-V7JP? fief-server (pip) versions >= 0.19.0, < 0.25.3 is affected.
- Is there a fix for GHSA-HJ8M-9FHF-V7JP? Yes. GHSA-HJ8M-9FHF-V7JP is fixed in 0.25.3. Upgrade to this version or later.
- Is GHSA-HJ8M-9FHF-V7JP exploitable, and should I be worried? Whether GHSA-HJ8M-9FHF-V7JP is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-HJ8M-9FHF-V7JP is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-HJ8M-9FHF-V7JP? Upgrade
fief-serverto 0.25.3 or later.