CVE-2025-1686

io.pebbletemplates:pebble: Path Traversal Vulnerability in Pebble Templates

Description

Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

INFO

Published Date :

2025-02-27T05:00:05.848Z

Last Modified :

2026-04-19T07:54:57.303Z

Source :

snyk

AFFECTED PRODUCTS

The following products are affected by CVE-2025-1686 vulnerability.

Vendors	Products
Pebbletemplates	Pebble

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-1686.

URL	Resource
https://github.com/PebbleTemplates/pebble/commit/b3451c8f305a1a248fbcc2363fd307d0baaee329
https://github.com/PebbleTemplates/pebble/issues/680
https://github.com/PebbleTemplates/pebble/issues/688
https://github.com/PebbleTemplates/pebble/pull/715
https://nvd.nist.gov/vuln/detail/CVE-2025-1686
https://pebbletemplates.io/wiki/tag/include
https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
https://www.cve.org/CVERecord?id=CVE-2025-1686