{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/freemarker/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["jdbi3-freemarker (\u003c= 3.52.1)","h2 (2.2.224)"],"_cs_severities":["high"],"_cs_tags":["freemarker","template-injection","rce","jdbi"],"_cs_type":"advisory","_cs_vendors":["H2 Database","JDBI"],"content_html":"\u003cp\u003eThe jdbi3-freemarker library, when used with attacker-controlled template source, is vulnerable to remote code execution (RCE). This vulnerability stems from the improper neutralization of special elements used in the FreeMarker template engine. Specifically, the library\u0026rsquo;s default configuration does not restrict Java class instantiation within FreeMarker templates, allowing attackers to instantiate arbitrary classes, including those that can execute system commands. The vulnerability affects jdbi3-freemarker versions up to and including 3.52.1. Successful exploitation requires an application to depend on the vulnerable library and permit attacker-influenced text to be used as a SQL template, either directly or indirectly through template evaluation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using jdbi3-freemarker for SQL templating.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers an endpoint where user-supplied input is incorporated into a SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious FreeMarker template payload containing a Java class instantiation that executes arbitrary commands (e.g., \u003ccode\u003e${\u0026quot;freemarker.template.utility.Execute\u0026quot;?new()(\u0026quot;touch /tmp/jdbi-pwned\u0026quot;)}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the application\u0026rsquo;s vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eThe application processes the attacker\u0026rsquo;s input as a FreeMarker template using \u003ccode\u003eFreemarkerEngine.parse()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the lack of a \u003ccode\u003eTemplateClassResolver\u003c/code\u003e, FreeMarker\u0026rsquo;s legacy \u003ccode\u003eUNRESTRICTED_RESOLVER\u003c/code\u003e is active, allowing the instantiation of the \u003ccode\u003efreemarker.template.utility.Execute\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExecute\u003c/code\u003e class executes the attacker\u0026rsquo;s command, creating the \u003ccode\u003e/tmp/jdbi-pwned\u003c/code\u003e file on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code within the application\u0026rsquo;s JVM. This can lead to complete compromise of the affected system, including data theft, system modification, and denial of service. The vulnerability impacts all jdbi3-freemarker releases through version 3.52.1. Applications relying on jdbi3-freemarker and dynamically constructing SQL queries with user-controlled data are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of \u003ccode\u003eorg.jdbi:jdbi3-freemarker\u003c/code\u003e that includes the fix described in GHSA-mggx-p7jf-jgw4 (versions \u0026gt; 3.52.1).\u003c/li\u003e\n\u003cli\u003eApply the proposed patch in \u003ccode\u003eFreemarkerConfig.java\u003c/code\u003e and \u003ccode\u003eFreemarkerSqlLocator.java\u003c/code\u003e by setting \u003ccode\u003eTemplateClassResolver.ALLOWS_NOTHING_RESOLVER\u003c/code\u003e to prevent arbitrary Java class instantiation by default.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eSanitize user-provided input before incorporating it into SQL queries to prevent injection attacks.\u003c/li\u003e\n\u003cli\u003eIf dynamic SQL templating is required, review and restrict the classes that can be instantiated within FreeMarker templates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T22:15:17Z","date_published":"2026-05-05T22:15:17Z","id":"/briefs/2024-01-jdbi3-freemarker-rce/","summary":"Jdbi's freemarker module is vulnerable to arbitrary command execution when an application permits attacker-influenced text to reach FreemarkerEngine.parse() as template source, affecting org.jdbi:jdbi3-freemarker through version 3.52.1 and potentially leading to RCE.","title":"JDBI Freemarker Template Engine Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-jdbi3-freemarker-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Freemarker","version":"https://jsonfeed.org/version/1.1"}