CVE-2025-23211
Published: 28 January 2025
Summary
CVE-2025-23211 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Tandoor Recipes. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SSTI vulnerability by requiring timely remediation through patching to version 1.5.24, addressing the flaw in template_helper.py.
Validates and sanitizes user inputs to the Jinja2 template engine, preventing malicious template injection (CWE-94 and CWE-1336) by authenticated users.
Vulnerability scanning identifies the critical SSTI flaw (CVSS 9.9) in Tandoor Recipes prior to 1.5.24, enabling proactive patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI vulnerability in web app enables remote exploitation for arbitrary command execution (RCE) on server, directly mapping to T1190 (public-facing app exploitation) and T1059.004 (Unix shell for OS commands in Docker/Linux context).
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability…
more
is fixed in 1.5.24.
Deeper analysisAI
CVE-2025-23211 is a Jinja2 Server-Side Template Injection (SSTI) vulnerability in Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists. The flaw, tied to CWE-1336 (Inequate Security Context for Template Evaluation Scope) and CWE-94 (Improper Control of Generation of Code), resides in the template rendering logic within the cookbook/helper/template_helper.py component. It affects versions prior to 1.5.24 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Any authenticated user (low privileges required) can exploit this vulnerability remotely over the network with low complexity and no user interaction. By injecting malicious Jinja2 templates, attackers achieve arbitrary command execution on the server. In deployments using the provided Docker Compose file, this executes with root privileges, enabling full control over the host system, including high-impact confidentiality, integrity, and availability violations with changed scope.
The GitHub security advisory (GHSA-r6rj-h75w-vj8v) and fixing commit (e6087d5129cc9d0c24278948872377e66c2a2c20) detail mitigation by patching the template_helper.py sanitization at line 95 in versions 1.5.24 and later. Security practitioners should upgrade immediately, review access controls for authenticated users, and audit Jinja2 usage in similar applications.
Details
- CWE(s)