CRITICAL🇵🇱 Wersja polska

CVE-2025-59340

CVSS 9.8v3.1pub. 2025-09-17upd. 2025-09-26

jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.

🤖 AI Analysis
How it works

An attacker can exploit the mapper.getTypeFactory().constructFromCanonical() method to induce the built-in ObjectMapper to deserialize attacker-controlled input into arbitrary Java classes. This allows instantiation of classes such as java.net.URL without directly invoking restricted methods or class literals, effectively bypassing the sandbox mechanism. By chaining the obtained primitives, an attacker can gain access to local files and network resources (e.g., file:///etc/passwd), and subsequently achieve remote code execution (RCE).

Impact

An attacker can gain full control over the compromised system, including reading arbitrary local files, establishing connections to external resources, and potentially executing remote code (RCE) without requiring any privileges.

Mitigation & patch

Update the HubSpot Jinjava library to version 2.8.1 or later, where the vulnerability has been fixed. Patches are available in the vendor's GitHub repository (tag jinjava-2.8.1).

Who is affected

HubSpot Jinjava in versions prior to 2.8.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hubspot Jinjava

    APP
    Hubspot
    < 2.8.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-25526CRITICAL9.8PL ✓ten sam produkt

HubSpot JinJava — obejście sandbox i wykonanie dowolnego kodu Java przez ForTag

CVE-2020-12668MEDIUM6.5ten sam produkt

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjav...

CVE-2018-18893MEDIUM5.3ten sam produkt

Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELRe...

CVE-2022-1239HIGH8.8ten sam vendor

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, w...

CVE-2017-16035HIGH8.1ten sam vendor

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads...