CVE-2025-53833
Published: 14 July 2025
Summary
CVE-2025-53833 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
LaRecipe is a documentation tool that renders Markdown content inside Laravel applications. Versions prior to 2.8.1 contain a Server-Side Template Injection vulnerability (CWE-1336) that can result in remote code execution when the application is deployed with certain template or configuration settings enabled. The flaw received a CVSS 3.1 score of 10.0, reflecting network-accessible, unauthenticated attack paths with high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted Markdown input that is processed by the template engine, allowing execution of arbitrary commands on the underlying server, disclosure of environment variables, or further privilege escalation depending on the runtime configuration. Because the vector requires no user interaction or credentials, any publicly reachable LaRecipe instance prior to the fix is exposed.
The project’s GitHub security advisory and associated pull request direct users to upgrade immediately to version 2.8.1 or later, where the injection issue has been addressed through the commit that sanitizes template input. The referenced advisory (GHSA-jv7x-xhv2-p5v2) and patch commit provide the concrete remediation steps.
EPSS for the CVE reached a peak of 0.3215 on 2026-02-18 before receding to the current value of 0.2082, indicating a period of elevated exploitation interest after disclosure. No information on observed in-the-wild exploitation is supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21400
Vulnerability details
LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers…
more
could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in public-facing Laravel web app directly enables unauthenticated RCE via command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSTI vulnerability by requiring timely identification, reporting, and patching of the flaw in LaRecipe versions prior to 2.8.1.
Prevents SSTI exploitation by enforcing validation and sanitization of untrusted user-supplied Markdown inputs before template processing.
Identifies the presence of the critical SSTI vulnerability through ongoing vulnerability scanning, enabling proactive remediation.