DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MGGX-P7JF-JGW4: GHSA-mggx-p7jf-jgw4: Remote Code Execution via FreeMarker Template Injection in Jdbi

#security #cve #cybersecurity #ghsa

GHSA-mggx-p7jf-jgw4: Remote Code Execution via FreeMarker Template Injection in Jdbi

Vulnerability ID: GHSA-MGGX-P7JF-JGW4
CVSS Score: 7.7
Published: 2026-05-05

The jdbi3-freemarker module in the Jdbi library contains an insecure default configuration that allows Remote Code Execution (RCE). The FreeMarker template engine is initialized without a restrictive class resolver, permitting attackers to execute arbitrary system commands via the ?new directive when application input is unsafely concatenated into SQL templates. This vulnerability affects all versions up to 3.52.1 and is resolved in version 3.53.0.

TL;DR

Jdbi's FreeMarker module (<= 3.52.1) is vulnerable to RCE due to an unrestricted template class resolver. Attackers can leverage the ?new directive to execute OS commands if user input reaches the template engine. Upgrading to 3.53.0 resolves the issue.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1336
  • Attack Vector: Network
  • CVSS Score: 7.7
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available
  • Affected Component: jdbi3-freemarker Template Initialization

Affected Systems

  • org.jdbi:jdbi3-freemarker <= 3.52.1
  • jdbi3-freemarker: <= 3.52.1 (Fixed in: 3.53.0)

Mitigation Strategies

  • Upgrade to org.jdbi:jdbi3-freemarker version 3.53.0 or later.
  • Audit application source code for unsafe string concatenation prior to Jdbi query execution.
  • Ensure all user-supplied data is passed to Jdbi via parameter binding mechanisms rather than string interpolation.
  • If reflective instantiation is required via ?new, implement a strict allowlist using a custom TemplateClassResolver.

Remediation Steps:

  1. Identify the current version of org.jdbi:jdbi3-freemarker in project dependency manifests (e.g., pom.xml, build.gradle).
  2. Update the version definition to 3.53.0.
  3. Recompile the application and execute integration tests to ensure no legitimate FreeMarker templates relied on the ?new built-in.
  4. Deploy the updated application to production environments.
  5. Review application source code calling Handle.createQuery(), createUpdate(), createCall(), createScript(), and Batch.add() for string concatenation.

References

Read the full report for GHSA-MGGX-P7JF-JGW4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)