プラットフォーム
python
コンポーネント
recipes
修正版
1.5.25
CVE-2025-23211 describes a critical Remote Code Execution (RCE) vulnerability discovered in Tandoor Recipes, an application designed for recipe management, meal planning, and shopping list creation. This flaw enables unauthorized users to execute arbitrary commands on the server, posing a significant threat to data integrity and system security. The vulnerability affects versions of Tandoor Recipes prior to 1.5.24, and a fix is available in version 1.5.24.
The impact of this RCE vulnerability is severe. An attacker can leverage it to execute arbitrary code on the server hosting Tandoor Recipes. Given the provided Docker Compose file runs as root, successful exploitation could grant the attacker complete control over the system, including access to sensitive data, modification of system configurations, and installation of malware. This could lead to data breaches, denial of service, and further compromise of the network. The potential blast radius extends beyond the application itself, potentially impacting any resources accessible from the compromised server. This vulnerability shares similarities with other Jinja2 SSTI exploits, highlighting the importance of proper template input sanitization.
CVE-2025-23211 was published on January 28, 2025. The vulnerability's severity is indicated by its CVSS score of 10 (CRITICAL). As of the publication date, there is no indication of this vulnerability being actively exploited in the wild. Public Proof-of-Concept (POC) code is likely to emerge given the ease of exploitation associated with SSTI vulnerabilities. The EPSS score is expected to be high, reflecting the critical nature of the vulnerability and the potential for widespread exploitation.
エクスプロイト状況
EPSS
0.88% (75% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-23211 is to immediately upgrade Tandoor Recipes to version 1.5.24 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data used in Jinja2 templates is crucial. If using a Web Application Firewall (WAF) or reverse proxy, configure rules to block suspicious Jinja2 template expressions. Carefully review the Docker Compose file and ensure that the application is not running with unnecessary elevated privileges, particularly root. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple Jinja2 command (e.g., {{7*7}}) into an input field and verifying that it does not execute.
Actualice Tandoor Recipes a la versión 1.5.24 o superior. Esta versión corrige la vulnerabilidad de SSTI que permite la ejecución remota de código. La actualización se puede realizar a través del sistema de gestión de paquetes o descargando la nueva versión desde el sitio web oficial.
脆弱性分析と重要アラートをメールでお届けします。
It's a critical Remote Code Execution (RCE) vulnerability in Tandoor Recipes that allows attackers to run commands on the server.
You are affected if you are using Tandoor Recipes versions prior to 1.5.24.
Upgrade Tandoor Recipes to version 1.5.24 or later. Implement input validation and WAF rules as temporary mitigations.
As of January 28, 2025, there's no public evidence of active exploitation, but POC code is likely to emerge.
Refer to the official Tandoor Recipes security advisories and the NVD entry for CVE-2025-23211.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。