{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/thymeleaf-spring-6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Thymeleaf","Thymeleaf Spring 5","Thymeleaf Spring 6"],"_cs_severities":["critical"],"_cs_tags":["thymeleaf","ssti","cve-2026-40478","server-side template injection","expression injection"],"_cs_type":"advisory","_cs_vendors":["Thymeleaf"],"content_html":"\u003cp\u003eThymeleaf, a widely used Java template engine, contains a critical security vulnerability (CVE-2026-40478) affecting versions up to 3.1.3.RELEASE. This vulnerability stems from the improper neutralization of specific syntax patterns within the expression execution mechanisms.  An attacker can exploit this flaw by injecting malicious expressions into Thymeleaf templates if the application passes unvalidated user-supplied input directly to the template engine. Successful exploitation allows an unauthenticated remote attacker to bypass the library's protections and achieve Server-Side Template Injection (SSTI), potentially leading to remote code execution.  The vulnerability affects multiple Thymeleaf packages including \u003ccode\u003eorg.thymeleaf:thymeleaf\u003c/code\u003e, \u003ccode\u003eorg.thymeleaf:thymeleaf-spring5\u003c/code\u003e, and \u003ccode\u003eorg.thymeleaf:thymeleaf-spring6\u003c/code\u003e. It is strongly recommended to upgrade to version 3.1.4.RELEASE to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of Thymeleaf (\u0026lt;= 3.1.3.RELEASE) that processes user-supplied input within a Thymeleaf template.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing Thymeleaf expression language syntax, specifically targeting the bypassable syntax patterns.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted payload into a user-input field, such as a form parameter, URL parameter, or HTTP header, that is directly processed by the Thymeleaf template engine without proper validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Thymeleaf engine processes the malicious payload, failing to properly neutralize the dangerous syntax patterns.\u003c/li\u003e\n\u003cli\u003eThe injected expression is evaluated by the server, granting the attacker the ability to execute arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the remote code execution capability to gain control of the server, potentially installing malware, accessing sensitive data, or pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistent access by creating new user accounts, modifying system configurations, or deploying backdoors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSTI vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the vulnerable application.  This can lead to complete system compromise, including data theft, malware deployment, and denial of service. The severity is considered critical because it allows for remote code execution without authentication. Applications in any sector are vulnerable if they use Thymeleaf and pass user-provided input unsanitized to the template engine.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Thymeleaf to version 3.1.4.RELEASE or later to patch the vulnerability (CVE-2026-40478).\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization on all user-supplied data before passing it to the Thymeleaf template engine to prevent expression injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Thymeleaf Expression Injection\u003c/code\u003e to identify attempts to exploit this vulnerability in web server logs.\u003c/li\u003e\n\u003cli\u003eContinuously monitor web application logs for unusual patterns and potential exploitation attempts related to Thymeleaf expressions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-thymeleaf-ssti/","summary":"Thymeleaf versions up to 3.1.3.RELEASE are vulnerable to server-side template injection (SSTI) due to improper neutralization of specific syntax patterns, allowing attackers to execute unauthorized expressions when unvalidated user input is passed directly to the template engine.","title":"Thymeleaf Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-thymeleaf-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed - Thymeleaf Spring 6","version":"https://jsonfeed.org/version/1.1"}