CVE-2021-43466 – CVE-2021-43466 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-43466?

CVE-2021-43466 has a CVSS score of 9.8 (CRITICAL). CVE-2021-43466 is a critical remote code execution vulnerability in thymeleaf-spring5 version 3.0.12 where template injection in specific scenarios allows attackers to execute arbitrary code on affected systems. This affects applications using the vulnerable thymeleaf-spring5 component with template injection capabilities. Attackers can potentially take full control of vulnerable servers.

📋 TL;DR

CVE-2021-43466 is a critical remote code execution vulnerability in thymeleaf-spring5 version 3.0.12 where template injection in specific scenarios allows attackers to execute arbitrary code on affected systems. This affects applications using the vulnerable thymeleaf-spring5 component with template injection capabilities. Attackers can potentially take full control of vulnerable servers.

💻 Affected Systems

Products:

thymeleaf-spring5

Versions: Version 3.0.12 specifically

Operating Systems: All operating systems running Java applications with thymeleaf-spring5

Default Config Vulnerable: ⚠️ Yes

Notes: Requires template injection scenarios where user input can influence template processing. Applications using thymeleaf templates with user-controlled template names or fragments are vulnerable.

📦 What is this software?

Thymeleaf by Thymeleaf

View all CVEs affecting Thymeleaf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, deploy malware, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of ransomware/cryptominers on vulnerable web applications.

🟢

If Mitigated

Limited impact with proper input validation, template sandboxing, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH - Web applications with thymeleaf templates exposed to user input are directly exploitable from the internet.

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific template injection scenarios but public proof-of-concept exists. Attackers need to craft malicious template expressions to achieve RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to thymeleaf-spring5 version 3.0.13 or later

Vendor Advisory: https://github.com/thymeleaf/thymeleaf-spring/releases

Restart Required: Yes

Instructions:

1. Update thymeleaf-spring5 dependency to version 3.0.13 or higher in your project's build configuration (pom.xml for Maven, build.gradle for Gradle). 2. Rebuild and redeploy your application. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for template names and fragments to prevent injection of malicious expressions.

Template Sandboxing

all

Configure thymeleaf to use restricted template resolvers and disable expression evaluation for untrusted inputs.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious template expressions and injection patterns.
Network segmentation to isolate vulnerable applications and restrict access to minimum required users/systems.

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml or build.gradle) for thymeleaf-spring5 version 3.0.12. Also check deployed application's classpath for the vulnerable version.

Check Version:

For Maven: mvn dependency:tree | grep thymeleaf-spring. For Gradle: gradle dependencies | grep thymeleaf-spring. For deployed apps: check MANIFEST.MF or jar/war metadata.

Verify Fix Applied:

Verify thymeleaf-spring5 version is 3.0.13 or higher in your dependencies and deployed application. Test template functionality to ensure it still works properly.

📡 Detection & Monitoring

Log Indicators:

Unusual template processing errors
Suspicious template expression evaluations
Unexpected system command execution in application logs

Network Indicators:

HTTP requests containing thymeleaf expression language patterns
Outbound connections from application servers to unexpected destinations

SIEM Query:

Example: (http_request_uri CONTAINS "__${" OR http_request_uri CONTAINS "__${") AND (application_name CONTAINS "thymeleaf" OR user_agent CONTAINS "thymeleaf")

📊 Metadata

CVE ID: CVE-2021-43466

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: November 9, 2021

Last Updated: November 21, 2024

🔗 References

https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html Exploit,Third Party Advisory
https://security.netapp.com/advisory/ntap-20221014-0001/ Third Party Advisory
https://vuldb.com/?id.186365 Third Party Advisory
https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html Exploit,Third Party Advisory
https://security.netapp.com/advisory/ntap-20221014-0001/ Third Party Advisory
https://vuldb.com/?id.186365 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43466, you might also want to check these: