Cyber Resilience

CVE-2025-23211

CriticalPublic PoCRCE

Published: 28 January 2025

Published
28 January 2025
Modified
08 May 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.6314 98.4th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23211 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Tandoor Recipes. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Tandoor Recipes, an application for managing recipes, planning meals, and building shopping lists, contains a Jinja2 server-side template injection vulnerability tracked as CVE-2025-23211. The flaw, assigned CWE-1336 and CWE-94, permits arbitrary command execution and carries a CVSS 3.1 score of 9.9. It is present in versions prior to the 1.5.24 release.

Any authenticated user can exploit the issue over the network to run commands on the underlying server. When the application is deployed via the provided Docker Compose configuration, the commands execute with root privileges, resulting in full host compromise including confidentiality, integrity, and availability impacts.

The project security advisory and associated commit indicate that the vulnerability is resolved in version 1.5.24. The fix is documented in the template_helper.py file and the corresponding GitHub advisory GHSA-r6rj-h75w-vj8v.

The EPSS score currently stands at 0.6314 with a recorded peak of 0.6840, reflecting sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability…

more

is fixed in 1.5.24.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

SSTI vulnerability in web app enables remote exploitation for arbitrary command execution (RCE) on server, directly mapping to T1190 (public-facing app exploitation) and T1059.004 (Unix shell for OS commands in Docker/Linux context).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33149Same product: Tandoor Recipes
CVE-2026-35489Same product: Tandoor Recipes
CVE-2026-33152Same product: Tandoor Recipes
CVE-2026-35045Same product: Tandoor Recipes
CVE-2025-23212Same product: Tandoor Recipes
CVE-2025-23213Same product: Tandoor Recipes
CVE-2026-25991Same product: Tandoor Recipes
CVE-2026-35488Same product: Tandoor Recipes
CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94

Affected Assets

tandoor
recipes
≤ 1.5.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSTI vulnerability by requiring timely remediation through patching to version 1.5.24, addressing the flaw in template_helper.py.

prevent

Validates and sanitizes user inputs to the Jinja2 template engine, preventing malicious template injection (CWE-94 and CWE-1336) by authenticated users.

detect

Vulnerability scanning identifies the critical SSTI flaw (CVSS 9.9) in Tandoor Recipes prior to 1.5.24, enabling proactive patching.

References