CVE-2022-0323 – This vulnerability in the mustache.php template... (How to Fix)

Q: What is the severity of CVE-2022-0323?

CVE-2022-0323 has a CVSS score of 8.8 (HIGH). This vulnerability in the mustache.php template engine allows attackers to execute arbitrary code by injecting malicious templates. It affects any PHP application using mustache/mustache versions before 2.14.1 for template rendering. The vulnerability stems from improper neutralization of special elements in the template engine.

📋 TL;DR

This vulnerability in the mustache.php template engine allows attackers to execute arbitrary code by injecting malicious templates. It affects any PHP application using mustache/mustache versions before 2.14.1 for template rendering. The vulnerability stems from improper neutralization of special elements in the template engine.

💻 Affected Systems

Products:

Packagist mustache/mustache (mustache.php)

Versions: All versions prior to 2.14.1

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any PHP application using mustache.php for template rendering with user-controlled input is vulnerable.

📦 What is this software?

Mustache by Mustache Project

View all CVEs affecting Mustache →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Server-side template injection allowing arbitrary code execution, potentially leading to data exfiltration or service disruption.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially reduced to denial of service.

🌐 Internet-Facing: HIGH - Template engines are commonly exposed in web applications, making exploitation straightforward.

🏢 Internal Only: MEDIUM - Internal applications using vulnerable versions remain at risk but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user input to reach template rendering functions. Public proof-of-concept exists in the referenced bounty report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.1

Vendor Advisory: https://github.com/bobthecow/mustache.php/commit/579ffa5c96e1d292c060b3dd62811ff01ad8c24e

Restart Required: No

Instructions:

1. Update composer.json to require 'mustache/mustache: ^2.14.1'. 2. Run 'composer update mustache/mustache'. 3. Verify the update with 'composer show mustache/mustache'.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and output encoding for all user-supplied template data.

Temporary Version Lock

linux

Temporarily lock to a specific safe version while planning upgrade.

composer require mustache/mustache:2.14.1

🧯 If You Can't Patch

Implement strict input validation to prevent user-controlled data from reaching template rendering functions.
Deploy web application firewall (WAF) rules to detect and block template injection attempts.

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run 'composer show mustache/mustache' to see if version is below 2.14.1.

Check Version:

composer show mustache/mustache | grep versions

Verify Fix Applied:

Confirm version is 2.14.1 or higher with 'composer show mustache/mustache'.

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Suspicious PHP execution patterns in logs
Unexpected system commands in application logs

Network Indicators:

Unusual outbound connections from web servers
Data exfiltration patterns

SIEM Query:

source='web_logs' AND (message LIKE '%mustache%' OR message LIKE '%template%') AND (message LIKE '%error%' OR message LIKE '%injection%')

📊 Metadata

CVE ID: CVE-2022-0323

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

Published: January 21, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/bobthecow/mustache.php/commit/579ffa5c96e1d292c060b3dd62811ff01ad8c24e Patch,Third Party Advisory
https://huntr.dev/bounties/a5f5a988-aa52-4443-839d-299a63f44fb7 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/bobthecow/mustache.php/commit/579ffa5c96e1d292c060b3dd62811ff01ad8c24e Patch,Third Party Advisory
https://huntr.dev/bounties/a5f5a988-aa52-4443-839d-299a63f44fb7 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0323, you might also want to check these: