<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Thymeleaf - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/thymeleaf/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/thymeleaf/feed.xml" rel="self" type="application/rss+xml"/><item><title>Thymeleaf Server-Side Template Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-thymeleaf-ssti/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-thymeleaf-ssti/</guid><description>Thymeleaf versions up to 3.1.3.RELEASE are vulnerable to server-side template injection (SSTI) due to improper neutralization of specific syntax patterns, allowing attackers to execute unauthorized expressions when unvalidated user input is passed directly to the template engine.</description><content:encoded><![CDATA[<p>Thymeleaf, a widely used Java template engine, contains a critical security vulnerability (CVE-2026-40478) affecting versions up to 3.1.3.RELEASE. This vulnerability stems from the improper neutralization of specific syntax patterns within the expression execution mechanisms.  An attacker can exploit this flaw by injecting malicious expressions into Thymeleaf templates if the application passes unvalidated user-supplied input directly to the template engine. Successful exploitation allows an unauthenticated remote attacker to bypass the library's protections and achieve Server-Side Template Injection (SSTI), potentially leading to remote code execution.  The vulnerability affects multiple Thymeleaf packages including <code>org.thymeleaf:thymeleaf</code>, <code>org.thymeleaf:thymeleaf-spring5</code>, and <code>org.thymeleaf:thymeleaf-spring6</code>. It is strongly recommended to upgrade to version 3.1.4.RELEASE to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an application using a vulnerable version of Thymeleaf (&lt;= 3.1.3.RELEASE) that processes user-supplied input within a Thymeleaf template.</li>
<li>The attacker crafts a malicious payload containing Thymeleaf expression language syntax, specifically targeting the bypassable syntax patterns.</li>
<li>The attacker injects the crafted payload into a user-input field, such as a form parameter, URL parameter, or HTTP header, that is directly processed by the Thymeleaf template engine without proper validation or sanitization.</li>
<li>The vulnerable Thymeleaf engine processes the malicious payload, failing to properly neutralize the dangerous syntax patterns.</li>
<li>The injected expression is evaluated by the server, granting the attacker the ability to execute arbitrary code within the context of the application.</li>
<li>The attacker leverages the remote code execution capability to gain control of the server, potentially installing malware, accessing sensitive data, or pivoting to other systems within the network.</li>
<li>The attacker may establish persistent access by creating new user accounts, modifying system configurations, or deploying backdoors.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSTI vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the vulnerable application.  This can lead to complete system compromise, including data theft, malware deployment, and denial of service. The severity is considered critical because it allows for remote code execution without authentication. Applications in any sector are vulnerable if they use Thymeleaf and pass user-provided input unsanitized to the template engine.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Thymeleaf to version 3.1.4.RELEASE or later to patch the vulnerability (CVE-2026-40478).</li>
<li>Implement robust input validation and sanitization on all user-supplied data before passing it to the Thymeleaf template engine to prevent expression injection.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious Thymeleaf Expression Injection</code> to identify attempts to exploit this vulnerability in web server logs.</li>
<li>Continuously monitor web application logs for unusual patterns and potential exploitation attempts related to Thymeleaf expressions.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>thymeleaf</category><category>ssti</category><category>cve-2026-40478</category><category>server-side template injection</category><category>expression injection</category></item></channel></rss>