Login Sign Up

CVE-2022-29221

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Smarty template engine allows template authors to inject PHP code through malicious {block} names or {include} file names. It affects sites where template authors are not fully trusted, potentially leading to remote code execution. The vulnerability is patched in Smarty versions 3.1.45 and 4.1.1.

💻 Affected Systems

Products:
  • Smarty PHP Template Engine
Versions: All versions prior to 3.1.45 and 4.1.1
Operating Systems: All operating systems running PHP with Smarty
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects sites where template authors are not fully trusted. Sites with completely trusted template authors may not be vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Smarty by Smarty

View all CVEs affecting Smarty →

Smarty by Smarty

View all CVEs affecting Smarty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Template authors with malicious intent could execute arbitrary PHP code, potentially accessing sensitive data or modifying application behavior.

🟢

If Mitigated

With proper access controls and trusted template authors only, impact is limited to authorized template modifications.

🌐 Internet-Facing: HIGH - Web applications using Smarty templates are typically internet-facing, making them accessible to attackers.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable if untrusted users can create or modify templates.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires template author access. The vulnerability is in template parsing logic, making exploitation straightforward for malicious template authors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.45 or 4.1.1

Vendor Advisory: https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c

Restart Required: No

Instructions:

1. Backup your current Smarty installation. 2. Update via Composer: 'composer require smarty/smarty:^3.1.45' or 'composer require smarty/smarty:^4.1.1'. 3. Verify the update completed successfully. 4. Test your application functionality.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Restrict template author permissions to trusted users only
  • Implement strict input validation on all template names and block names

🔍 How to Verify

Check if Vulnerable:

Check your Smarty version. If using Composer: 'composer show smarty/smarty'. If manual install: check the Smarty.class.php file for version constant.

Check Version:

php -r "require_once 'Smarty.class.php'; echo 'Smarty version: ' . Smarty::SMARTY_VERSION;"

Verify Fix Applied:

Verify the version is 3.1.45 or higher for Smarty 3.x, or 4.1.1 or higher for Smarty 4.x.

📡 Detection & Monitoring

Log Indicators:

  • Unusual template file names containing special characters
  • Unexpected PHP execution in template directories
  • Template compilation errors with suspicious content

Network Indicators:

  • Unusual outbound connections from web server after template modifications
  • Unexpected file downloads to template directories

SIEM Query:

source="web_server" AND (template_name="*{php*}*" OR template_name="*system(*)*" OR template_name="*eval(*)*")

📊 Metadata

CVE ID: CVE-2022-29221
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: May 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29221, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)