CVE-2025-1686: 
Java vulnerability analysis and mitigation

CVE-2025-1686 affects all versions of the io.pebbletemplates:pebble package, which is a Java templating engine inspired by Twig. The vulnerability was discovered by Jonathan Leitschuh and publicly disclosed on February 24, 2025. The issue relates to External Control of File Name or Path vulnerability via the include tag, which affects the template engine's security (Snyk Advisory).

The vulnerability is classified as CWE-73 (External Control of File Name or Path) and has received a CVSS v4.0 score of 6.1 (Medium) from Snyk. The technical assessment indicates that while the attack can be performed over the network and requires no special conditions, it does require high-level privileges. The vulnerability specifically affects the include tag functionality in Pebble Templates, which can be exploited when PebbleTemplate is created with PebbleEngine#getLiteralTemplate (Snyk Advisory).

A high-privileged attacker can access sensitive local files by crafting malicious notification templates that leverage the include tag. This could lead to unauthorized access to system files such as /etc/passwd or /proc/1/environ, potentially exposing sensitive system information (Snyk Advisory).

While there is no fixed version available, the vulnerability can be mitigated by disabling the include macro in Pebble Templates using the following configuration: new PebbleEngine.Builder().registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder().disallowedTokenParserTags(List.of("include")).build()).build() (Snyk Advisory).

The vulnerability was initially reported under the Open Source Security Foundation (OpenSSF) Model Outbound Vulnerability Disclosure Policy on July 15, 2024. Despite multiple attempts to contact the maintainers between July 2024 and February 2025, no response was received, leading to the public disclosure of the vulnerability (GitHub Issue).