LaRecipe Server-Side Template Injection Vulnerability
漏洞信息
漏洞名称: LaRecipe Server-Side Template Injection Vulnerability
漏洞编号:
- CVE: CVE-2025-53833
漏洞类型: 服务端模板注入
漏洞等级: 严重
漏洞描述: LaRecipe是一个基于Laravel的文档生成器,广泛用于生成和管理项目文档。它通常部署在开发环境中,用于为开发团队提供项目文档支持。由于其易用性和与Laravel框架的深度集成,LaRecipe在开发社区中有一定的用户基础。该漏洞存在于LaRecipe的模板渲染过程中,由于对用户输入的处理不当,导致了服务器端模板注入(SSTI)漏洞。攻击者可以通过构造恶意的模板表达式,绕过输入验证,直接注入并执行任意代码。这种漏洞的利用不需要任何形式的认证,攻击者可以通过公开的文档端点直接发起攻击。由于漏洞的严重性,攻击者不仅可以执行远程代码,还可以读取服务器上的敏感文件,如.env文件,获取数据库密码、API密钥等敏感信息,甚至可能获得root权限。因此,该漏洞对受影响系统的安全构成了严重威胁。建议所有使用LaRecipe的用户立即升级到2.8.1或更高版本,以修复此漏洞。
产品厂商: LaRecipe
产品名称: LaRecipe
影响版本: version < 2.8.1
来源: https://github.com/B1ack4sh/Blackash-CVE-2025-53833
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
🚨 CVE-2025-53833 — Critical ⚠️ SSTI ➜ RCE in LaRecipe (Versions < 2.8.1)
📌 Overview
- Vulnerability ID: CVE-2025-53833
- Component Affected: LaRecipe (a Laravel-based documentation generator)
- Versions Affected: All versions prior to 2.8.1
- Vulnerability Type: Server-Side Template Injection (SSTI)
- Severity: Critical (CVSS 10.0)
⚠️ Impact
This vulnerability allows unauthenticated attackers to:
- Inject malicious template expressions
- Execute arbitrary remote code on the server
- Read sensitive files like
.envcontaining database passwords, API keys, and secrets - Escalate privileges or even achieve root access
No prior authentication or user interaction is required.
🧠 Technical Insight
The flaw lies in how LaRecipe renders documentation templates. Malicious input is not properly sanitized before being passed into the templating engine, leading to full control over the rendering logic—hence, code execution.
Example:
An attacker could inject something like {{ system('id') }} into a template-rendering route and execute OS-level commands.
✅ Mitigation
To protect your system:
Upgrade immediately to LaRecipe version 2.8.1 or later
If you cannot upgrade:
- Restrict access to documentation endpoints using HTTP authentication or IP whitelisting
- Disable LaRecipe temporarily if it’s not critical
Monitor server logs for suspicious activity, especially access to documentation routes
Review
.envand other sensitive files for unauthorized access or changes
🧩 Summary
| Category | Info |
|---|---|
| Type | SSTI → RCE |
| Scope | Unauthenticated users |
| Exploitable via | Public documentation endpoints |
| Patch | Upgrade to 2.8.1+ |
| Urgency | Critical – patch immediately |
🔒 Disclaimer:
This information is provided for educational and defensive purposes only. Exploiting vulnerabilities without proper authorization is illegal and unethical. Always ensure you have explicit permission before conducting any form of security testing. The author is not responsible for any misuse of the content provided.