CVE-2025-9094: 
Wolfi vulnerability analysis and mitigation

A critical vulnerability has been identified in ThingsBoard version 4.1, specifically affecting the Add Gateway Handler component (CVE-2025-9094). The vulnerability involves improper neutralization of special elements used in a template engine, discovered and disclosed on August 17, 2025. This security flaw affects the ThingsBoard IoT Platform and can be exploited remotely (VulDB).

The vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) and CWE-791 (Incomplete Filtering of Special Elements). It has received a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and requiring low privileges (VulDB, NVD).

The vulnerability primarily affects system integrity, allowing attackers to manipulate template engine elements remotely. The attack can be initiated remotely and requires low privileges to execute, potentially leading to template injection attacks (VulDB).

The vendor has acknowledged the vulnerability and stated that "[t]he fix will come within upcoming release (v4.2) and will be inherited by maintenance releases of LTS versions (starting 4.0)." Until the patch is available, it is recommended to consider replacing the affected component with an alternative solution (VulDB).