CRITICALCVE-2025-23211CVSS 10

Tandoor Recipes - SSTI - Remote Code Execution

Q: What is CVE-2025-23211 — Remote Code Execution (RCE) in Tandoor Recipes?

It's a critical Remote Code Execution (RCE) vulnerability in Tandoor Recipes that allows attackers to run commands on the server.

Q: Am I affected by CVE-2025-23211 in Tandoor Recipes?

You are affected if you are using Tandoor Recipes versions prior to 1.5.24.

Q: How do I fix CVE-2025-23211 in Tandoor Recipes?

Upgrade Tandoor Recipes to version 1.5.24 or later. Implement input validation and WAF rules as temporary mitigations.

Q: Is CVE-2025-23211 being actively exploited?

As of January 28, 2025, there's no public evidence of active exploitation, but POC code is likely to emerge.

Q: Where can I find the official Tandoor Recipes advisory for CVE-2025-23211?

Refer to the official Tandoor Recipes security advisories and the NVD entry for CVE-2025-23211.

翻译中…

平台

python

组件

recipes

修复版本

1.5.25

AI Confidence: highNVDEPSS 0.9%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2025-23211 describes a critical Remote Code Execution (RCE) vulnerability discovered in Tandoor Recipes, an application designed for recipe management, meal planning, and shopping list creation. This flaw enables unauthorized users to execute arbitrary commands on the server, posing a significant threat to data integrity and system security. The vulnerability affects versions of Tandoor Recipes prior to 1.5.24, and a fix is available in version 1.5.24.

Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件，立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock

影响与攻击场景翻译中…

The impact of this RCE vulnerability is severe. An attacker can leverage it to execute arbitrary code on the server hosting Tandoor Recipes. Given the provided Docker Compose file runs as root, successful exploitation could grant the attacker complete control over the system, including access to sensitive data, modification of system configurations, and installation of malware. This could lead to data breaches, denial of service, and further compromise of the network. The potential blast radius extends beyond the application itself, potentially impacting any resources accessible from the compromised server. This vulnerability shares similarities with other Jinja2 SSTI exploits, highlighting the importance of proper template input sanitization.

利用背景翻译中…

CVE-2025-23211 was published on January 28, 2025. The vulnerability's severity is indicated by its CVSS score of 10 (CRITICAL). As of the publication date, there is no indication of this vulnerability being actively exploited in the wild. Public Proof-of-Concept (POC) code is likely to emerge given the ease of exploitation associated with SSTI vulnerabilities. The EPSS score is expected to be high, reflecting the critical nature of the vulnerability and the potential for widespread exploitation.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.88% (75% 百分位)

CISA SSVC

利用情况poc

可自动化no

技术影响total

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 低 — 任何有效用户账户均可。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 高 — 完全崩溃或资源耗尽，完全拒绝服务。

受影响的软件

组件recipes

供应商TandoorRecipes

影响范围修复版本

< 1.5.24 – < 1.5.241.5.25

弱点分类 (CWE)

CWE-1336

时间线

已保留2025-01-13
发布日期2025-01-28
EPSS 更新日期2026-04-02

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-23211 is to immediately upgrade Tandoor Recipes to version 1.5.24 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data used in Jinja2 templates is crucial. If using a Web Application Firewall (WAF) or reverse proxy, configure rules to block suspicious Jinja2 template expressions. Carefully review the Docker Compose file and ensure that the application is not running with unnecessary elevated privileges, particularly root. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple Jinja2 command (e.g., {{7*7}}) into an input field and verifying that it does not execute.

修复方法翻译中…

Actualice Tandoor Recipes a la versión 1.5.24 o superior. Esta versión corrige la vulnerabilidad de SSTI que permite la ejecución remota de código. La actualización se puede realizar a través del sistema de gestión de paquetes o descargando la nueva versión desde el sitio web oficial.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-23211 — Remote Code Execution (RCE) in Tandoor Recipes?

It's a critical Remote Code Execution (RCE) vulnerability in Tandoor Recipes that allows attackers to run commands on the server.

Am I affected by CVE-2025-23211 in Tandoor Recipes?

You are affected if you are using Tandoor Recipes versions prior to 1.5.24.

How do I fix CVE-2025-23211 in Tandoor Recipes?

Upgrade Tandoor Recipes to version 1.5.24 or later. Implement input validation and WAF rules as temporary mitigations.

Is CVE-2025-23211 being actively exploited?

As of January 28, 2025, there's no public evidence of active exploitation, but POC code is likely to emerge.

Where can I find the official Tandoor Recipes advisory for CVE-2025-23211?

Refer to the official Tandoor Recipes security advisories and the NVD entry for CVE-2025-23211.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE