CVE-2025-59340
published 2025-09-17CVE-2025-59340: jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using…
PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
2.31%
81.3th percentile
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hubspot | jinjava | < 2.8.1 | 2.8.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
jinjava has Sandbox Bypass via JavaType-Based Deserialization
osv·2025-09-17
CVE-2025-59340 [CRITICAL] jinjava has Sandbox Bypass via JavaType-Based Deserialization
jinjava has Sandbox Bypass via JavaType-Based Deserialization
### Summary
jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as `getClass()`, and block instantiation of Class objects. However, these protections can be bypassed.
By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals.
As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially
GHSA
jinjava has Sandbox Bypass via JavaType-Based Deserialization
ghsa·2025-09-17
CVE-2025-59340 [CRITICAL] CWE-1336 jinjava has Sandbox Bypass via JavaType-Based Deserialization
jinjava has Sandbox Bypass via JavaType-Based Deserialization
### Summary
jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as `getClass()`, and block instantiation of Class objects. However, these protections can be bypassed.
By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals.
As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-17
Published