Bug 2348665 (CVE-2025-1686)

Summary: CVE-2025-1686 io.pebbletemplates:pebble: Path Traversal Vulnerability in Pebble Templates
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, darran.lofthouse, dkreling, dosoudil, fjuma, fmariani, gmalinko, istudens, ivassile, iweiss, janstey, jpoth, lgao, mosmerov, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, rstepani, smaestri, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Pebble Templates. This vulnerability allows high-privileged attackers to access sensitive local files via the include tag, enabling arbitrary file inclusion.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-27 06:01:15 UTC 
All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.

 Workaround

This vulnerability can be mitigated by disabling the include macro in Pebble Templates:

java
new PebbleEngine.Builder()
            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
                    .disallowedTokenParserTags(List.of("include"))
                    .build())
            .build();