Опубликовано: 05 мар. 2025
Источник: github
Github: Прошло ревью
CVSS4: 8.9
CVSS3: 9.8
Описание
Spacy-LLM Server-Side Template Injection (SSTI) vulnerability
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-25362
- https://github.com/explosion/spacy-llm/issues/492
- https://github.com/explosion/spacy-llm/pull/491
- https://github.com/explosion/spacy-llm/commit/8bde0490cc1e9de9dd2e84480b7b5cd18a94d739
- https://www.hacktivesecurity.com/blog/2025/04/01/cve-2025-25362-old-vulnerabilities-new-victims-breaking-llm-prompts-with-ssti
Пакеты
Наименование
spacy-llm
pip
Затронутые версииВерсия исправления
<= 0.7.2
0.7.3
EPSS
Процентиль: 63%
0.00453
Низкий
8.9 High
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
CWE-1336
CWE-94
Связанные уязвимости
CVSS3: 9.8
nvd
11 месяцев назад
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.
EPSS
Процентиль: 63%
0.00453
Низкий
8.9 High
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
CWE-1336
CWE-94