CVE-2025-23211
published 2025-01-28CVE-2025-23211: Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute…
PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
3.46%
87.6th percentile
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tandoor | recipes | < 1.5.24 | 1.5.24 |
| tandoorrecipes | recipes | < 1.5.24 | 1.5.24 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /accounts/login/ HTTP/1.1
urlPOST /accounts/login/
urlPOST /api/recipe/
urlPUT /api/recipe/{{recipe_id}}/
command{{(num1*num2)|int}}
path/cookbook/helper/template_helper.py#L95
- →SSTI payload is injected into the 'instruction' field of a recipe step via PUT /api/recipe/<id>/ endpoint. Look for Jinja2 template expressions (e.g., {{ ... }}) in JSON bodies sent to this endpoint.
- →The vulnerability is triggered through authenticated recipe step instructions rendered by Jinja2 in template_helper.py at line 95. Monitor for template expression syntax in recipe API payloads.
- →Detection flow: attacker logs in (POST /accounts/login/), creates a recipe (POST /api/recipe/), injects SSTI payload via PUT /api/recipe/<id>/, then retrieves the result (GET /api/recipe/<id>/). Alert on this sequence from a single authenticated session.
- →The CSRF token is extracted from the login page and reused in the X-CSRFToken header for API calls. Anomalous rapid API sequences (login → create recipe → update recipe → read recipe) from a single session may indicate exploitation.
- →Confirmed exploitation is indicated by the response body containing 'instructions_markdown' alongside the computed arithmetic result of the injected template expression, returned as application/json.
- →Shodan fingerprint for exposed Tandoor Recipes instances: search for html:"Tandoor Recipes".
- ·Exploitation requires valid authenticated credentials (low-privilege user is sufficient). The CVSS score of 9.9 reflects that any authenticated user can achieve RCE. ↗
- ·In the default Docker Compose deployment, the application runs as root, meaning successful exploitation yields root-level command execution on the host. ↗
- ·The vulnerability is fixed in version 1.5.24. All instances running versions prior to 1.5.24 are affected. ↗
- ·The EPSS score is 0.68398 (98.621st percentile), indicating very high likelihood of active exploitation in the wild.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Tandoor Recipes < 1.5.24 - Jinja2 SSTI RCE
nuclei·CVSS 9.9
CVE-2025-23211 [CRITICAL] Tandoor Recipes < 1.5.24 - Jinja2 SSTI RCE
Tandoor Recipes < 1.5.24 - Jinja2 SSTI RCE
Tandoor Recipes < 1.5.24 has a Jinja2 SSTI vulnerability that allows command execution via recipe steps.
Template:
id: CVE-2025-23211
info:
name: Tandoor Recipes < 1.5.24 - Jinja2 SSTI RCE
author: sammiee5311
severity: critical
description: |
Tandoor Recipes < 1.5.24 has a Jinja2 SSTI vulnerability that allows command execution via recipe steps.
impact: |
Attackers can execute arbitrary code on the server by injecting malicious Jinja2 template expressions in recipe steps. This may lead to full server compromise, data disclosure, and privilege escalation.
remediation: |
Upgrade to Tandoor Recipes version 1.5.24 or later.
reference:
- https://github.com/TandoorRecipes/recipes/blob/4f9bff20c858180d0f7376de443a9fe4c123a50c/cookbook/helper/template
No writeups or analysis indexed.
https://github.com/TandoorRecipes/recipes/blob/4f9bff20c858180d0f7376de443a9fe4c123a50c/cookbook/helper/template_helper.py#L95https://github.com/TandoorRecipes/recipes/commit/e6087d5129cc9d0c24278948872377e66c2a2c20https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-r6rj-h75w-vj8vhttps://github.com/TandoorRecipes/recipes/security/advisories/GHSA-r6rj-h75w-vj8v
2025-01-28
Published