Home > Vulnerability Database > CVE-2025-25362

Mend.io Vulnerability Database

CVE-2025-25362

Good to know:

Date: March 4, 2025

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

Severity Score

9.8

Related Resources (8)

Url: https://www.hacktivesecurity.com/blog/2025/04/01/cve-2025-25362-old-vulnerabilities-new-victims-breaking-llm-prompts-with-ssti/

Url: https://github.com/explosion/spacy-llm/pull/491

Url: https://github.com/explosion/spacy-llm/issues/492

Url: https://github.com/explosion/spacy-llm

Url: https://github.com/explosion/spacy-llm/commit/8bde0490cc1e9de9dd2e84480b7b5cd18a94d739

Url: https://www.hacktivesecurity.com/blog/2025/04/01/cve-2025-25362-old-vulnerabilities-new-victims-breaking-llm-prompts-with-ssti

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25362

Url: https://www.mend.io/vulnerability-database/CVE-2025-25362

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

Top Fix

Upgrade Version

Upgrade to version spacy-llm - 0.7.3

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25362

Good to know:

Date: March 4, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?