cbcvebase.
CVE-2025-23211
published 2025-01-28

CVE-2025-23211: Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute…

PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
3.46%
87.6th percentile
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.

Affected

2 ranges
VendorProductVersion rangeFixed in
tandoorrecipes< 1.5.241.5.24
tandoorrecipesrecipes< 1.5.241.5.24

Detection & IOCsextracted from sources · hover to see the quote

urlGET /accounts/login/ HTTP/1.1
urlPOST /accounts/login/
urlPOST /api/recipe/
urlPUT /api/recipe/{{recipe_id}}/
command{{(num1*num2)|int}}
path/cookbook/helper/template_helper.py#L95
  • SSTI payload is injected into the 'instruction' field of a recipe step via PUT /api/recipe/<id>/ endpoint. Look for Jinja2 template expressions (e.g., {{ ... }}) in JSON bodies sent to this endpoint.
  • The vulnerability is triggered through authenticated recipe step instructions rendered by Jinja2 in template_helper.py at line 95. Monitor for template expression syntax in recipe API payloads.
  • Detection flow: attacker logs in (POST /accounts/login/), creates a recipe (POST /api/recipe/), injects SSTI payload via PUT /api/recipe/<id>/, then retrieves the result (GET /api/recipe/<id>/). Alert on this sequence from a single authenticated session.
  • The CSRF token is extracted from the login page and reused in the X-CSRFToken header for API calls. Anomalous rapid API sequences (login → create recipe → update recipe → read recipe) from a single session may indicate exploitation.
  • Confirmed exploitation is indicated by the response body containing 'instructions_markdown' alongside the computed arithmetic result of the injected template expression, returned as application/json.
  • Shodan fingerprint for exposed Tandoor Recipes instances: search for html:"Tandoor Recipes".
  • ·Exploitation requires valid authenticated credentials (low-privilege user is sufficient). The CVSS score of 9.9 reflects that any authenticated user can achieve RCE.
  • ·In the default Docker Compose deployment, the application runs as root, meaning successful exploitation yields root-level command execution on the host.
  • ·The vulnerability is fixed in version 1.5.24. All instances running versions prior to 1.5.24 are affected.
  • ·The EPSS score is 0.68398 (98.621st percentile), indicating very high likelihood of active exploitation in the wild.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.