CVE-2025-6518: 
Python vulnerability analysis and mitigation

A critical vulnerability was discovered in PySpur-Dev pyspur versions up to 0.1.18, identified as CVE-2025-6518. The vulnerability affects the SingleLLMCallNode function in the file backend/pyspur/nodes/llm/singlellmcall.py component of the Jinja2 Template Handler. The issue was disclosed on June 23, 2025, and involves improper neutralization of special elements used in a template engine (NVD, Wiz).

The vulnerability stems from unsafe usage of Template in the SingleLLMCallNode class's run method. Specifically, the user_message parameter in the config object can be controlled by users, allowing for template injection. The vulnerability has been assigned CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) and CWE-791 (Incomplete Filtering of Special Elements). The CVSS v3.1 base score is 6.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (VulDB).

The vulnerability allows remote attackers to execute arbitrary code on affected systems through template injection. This can lead to complete system compromise, affecting the confidentiality, integrity, and availability of the affected system. The attack can be launched remotely, and the exploitation is considered relatively easy due to the availability of public proof-of-concept code (GitHub Issue).

At the time of disclosure, there is no official patch or mitigation strategy provided by the vendor. It is recommended to replace the affected software with an alternative product until a security fix is available (VulDB).