CVE-2025-27137
📋 TL;DR
This vulnerability allows authenticated users with SYSTEM_CONFIGURATION permission in Dependency-Track to craft malicious notification templates that include sensitive local files via Pebble template engine's include tag. The attacker can exfiltrate sensitive system files like /etc/passwd or /proc/1/environ by configuring these templates to send notifications to destinations they control. Only users with SYSTEM_CONFIGURATION permission are affected, which by default is limited to Administrators team members.
💻 Affected Systems
- Dependency-Track
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through exfiltration of sensitive configuration files, credentials, or environment variables leading to lateral movement and privilege escalation.
Likely Case
Information disclosure of sensitive system files containing user data, configuration secrets, or environment variables.
If Mitigated
No impact if SYSTEM_CONFIGURATION permission is properly restricted to trusted administrators only.
🎯 Exploit Status
Exploitation requires authenticated access with SYSTEM_CONFIGURATION permission. Public advisories include technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.12.6
Vendor Advisory: https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9582-88hr-54w3
Restart Required: Yes
Instructions:
1. Backup your Dependency-Track instance. 2. Upgrade to version 4.12.6 or later. 3. Restart the Dependency-Track service. 4. Verify the upgrade was successful by checking the version.
🔧 Temporary Workarounds
Restrict SYSTEM_CONFIGURATION Permission
allRemove SYSTEM_CONFIGURATION permission from all non-administrative users and teams
Review and modify user/team permissions in Dependency-Track administration interface
🧯 If You Can't Patch
- Immediately audit and remove SYSTEM_CONFIGURATION permission from all non-administrative users
- Implement strict access controls and monitoring for users with SYSTEM_CONFIGURATION permission
🔍 How to Verify
Check if Vulnerable:
Check Dependency-Track version via web interface or API. If version is below 4.12.6 and SYSTEM_CONFIGURATION permission is assigned to users, the system is vulnerable.Check Version:
curl -s http://dependency-track-host/api/version | grep versionVerify Fix Applied:
After upgrading to 4.12.6+, verify that include tags in notification templates cause evaluation failures instead of executing.📡 Detection & Monitoring
Log Indicators:
- Failed template evaluations with include tag errors
- Unusual notification template modifications
- Multiple notification failures from same user
Network Indicators:
- Unusual outbound traffic from Dependency-Track to external notification destinations
- Large data transfers in notification payloads
SIEM Query:
source="dependency-track" AND (event="template_evaluation_failed" OR event="notification_sent" AND size>10000)🔗 References
- https://github.com/DependencyTrack/dependency-track/pull/4684
- https://github.com/DependencyTrack/dependency-track/pull/4685
- https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9582-88hr-54w3
- https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-p75g-cxfj-7wrx
- https://github.com/PebbleTemplates/pebble/issues/680
- https://pebbletemplates.io/wiki/tag/include
