CVE-2025-59340
September 17, 2025
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
Affected Packages
https://github.com/HubSpot/jinjava.git (GITHUB):
Affected version(s) >=jinjava-1.0.0 <jinjava-2.8.1Fix Suggestion:
Update to version jinjava-2.8.1com.hubspot.jinjava:jinjava (JAVA):
Affected version(s) =2.8.0 <2.8.1Fix Suggestion:
Update to version 2.8.1com.hubspot.jinjava:jinjava (JAVA):
Affected version(s) >=1.0.0 <2.8.1Fix Suggestion:
Update to version 2.8.1com.hubspot.jinjava:jinjava (JAVA):
Affected version(s) >=1.0.0 <2.7.5Fix Suggestion:
Update to version 2.7.5Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements Used in a Template Engine
EPSS
Base Score:
0.47
