CVE-2021-41170 – This vulnerability in neoan3-apps/template allo... (How to Fix)

📋 TL;DR

This vulnerability in neoan3-apps/template allows remote code execution through template injection. Attackers can pass callable values (closures) that execute arbitrary code when processed by the template engine. All users who process user input or database values through the template engine are affected.

💻 Affected Systems

Products:

neoan3-apps/template

Versions: All versions prior to 1.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using the template engine with dynamic data are vulnerable. Only hardcoded values are safe.

📦 What is this software?

Neoan3 Template by Neoan

View all CVEs affecting Neoan3 Template →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with arbitrary code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to application takeover, data manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact if only hardcoded values are used, but this defeats the purpose of a template engine.

🌐 Internet-Facing: HIGH - Template engines processing user input are directly exposed to attackers.

🏢 Internal Only: MEDIUM - Internal applications may still be vulnerable if they process user-controlled or database data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented in public advisories and requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.1

Vendor Advisory: https://github.com/sroehrl/neoan3-template/security/advisories/GHSA-3v56-q6r6-4gcw

Restart Required: No

Instructions:

1. Update package via composer: composer require neoan3-apps/template:^1.1.1
2. Verify the update completed successfully
3. Test template functionality with your application

🔧 Temporary Workarounds

Restrict template input to hardcoded values only

all

Only use hardcoded, non-user-controlled values in templates

🧯 If You Can't Patch

Implement strict input validation to reject any values that could be callable or contain executable code
Isolate the template engine in a restricted environment with minimal permissions

🔍 How to Verify

Check if Vulnerable:

Check composer.json or package version: if using neoan3-apps/template version <1.1.1, you are vulnerable

Check Version:

composer show neoan3-apps/template | grep versions

Verify Fix Applied:

Verify installed version is 1.1.1 or higher: composer show neoan3-apps/template

📡 Detection & Monitoring

Log Indicators:

Unexpected PHP execution errors
Unusual template processing patterns
Suspicious user input containing PHP functions or closures

Network Indicators:

HTTP requests containing PHP code or serialized closures in template parameters

SIEM Query:

source="web_logs" AND (message="*closure*" OR message="*callable*" OR message="*__invoke*")

📊 Metadata

CVE ID: CVE-2021-41170

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: November 8, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/sroehrl/neoan3-template/commit/4a2c9570f071d3c8f4ac790007599cba20e16934 Patch,Third Party Advisory
https://github.com/sroehrl/neoan3-template/issues/8 Issue Tracking,Patch,Third Party Advisory
https://github.com/sroehrl/neoan3-template/security/advisories/GHSA-3v56-q6r6-4gcw Patch,Third Party Advisory
https://github.com/sroehrl/neoan3-template/commit/4a2c9570f071d3c8f4ac790007599cba20e16934 Patch,Third Party Advisory
https://github.com/sroehrl/neoan3-template/issues/8 Issue Tracking,Patch,Third Party Advisory
https://github.com/sroehrl/neoan3-template/security/advisories/GHSA-3v56-q6r6-4gcw Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41170, you might also want to check these: