Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2025-27137

Disclosure Date: February 24, 2025 •

CVE-2025-27137

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track allows users with the SYSTEM_CONFIGURATION permission to customize notification templates. Templates are evaluated using the Pebble template engine. Pebble supports an include tag, which allows template authors to include the content of arbitrary files upon evaluation. Prior to version 4.12.6, users of Dependency-Track with the SYSTEM_CONFIGURATION permission can abuse the include tag by crafting notification templates that include sensitive local files, such as /etc/passwd or /proc/1/environ. By configuring such a template for a notification rule (aka “Alert”), and having it send notifications to a destination controlled by the actor, sensitive information may be leaked. The issue has been fixed in Dependency-Track 4.12.6. In fixed versions, the include tag can no longer be used. Usage of the tag will cause template evaluation to fail. As a workaround, avoid assigning the SYSTEM_CONFIGURATION permission to untrusted users. The SYSTEM_CONFIGURATION permission per default is only granted to members of the Administrators team. Assigning this permission to non-administrative users or teams is a security risk in itself, and highly discouraged.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

References

Canonical

CVE-2025-27137 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27137)

Miscellaneous

https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9582-88hr-54w3

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-p75g-cxfj-7wrx

https://github.com/PebbleTemplates/pebble/issues/680

https://github.com/DependencyTrack/dependency-track/pull/4684

https://github.com/DependencyTrack/dependency-track/pull/4685

https://pebbletemplates.io/wiki/tag/include

Rapid7

Unknown

CVE-2025-27137

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2025-27137

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2025-27137

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2025-27137

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification