CVE-2025-60355
📋 TL;DR
CVE-2025-60355 is a critical Server-Side Template Injection (SSTI) vulnerability in zhangyd-c OneBlog that allows attackers to execute arbitrary code on affected systems. This affects all users running OneBlog versions before 2.3.9. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- zhangyd-c OneBlog
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution allowing attackers to read sensitive files, modify content, or disrupt service availability.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though template injection could still allow limited data exposure.
🎯 Exploit Status
SSTI vulnerabilities in FreeMarker are well-documented and easily exploitable with publicly available payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.9
Vendor Advisory: https://github.com/line2222/vuln/issues/4
Restart Required: Yes
Instructions:
1. Backup your current OneBlog installation and database. 2. Download version 2.3.9 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the application server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation to block FreeMarker template expressions in user input
# Configure application to sanitize FreeMarker expressions
# Add input validation filters for template parameters
WAF Rule
allDeploy Web Application Firewall rules to detect and block SSTI payloads
# Example ModSecurity rule: SecRule ARGS "\$\{.*\}" "id:1001,phase:2,deny,msg:'SSTI attempt detected'"
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controlled template parameters
- Deploy network segmentation and restrict access to OneBlog instances to only trusted users
🔍 How to Verify
Check if Vulnerable:
Check if your OneBlog version is below 2.3.9 by examining the application version in admin panel or configuration filesCheck Version:
Check application.properties or admin dashboard for version informationVerify Fix Applied:
Confirm version is 2.3.9 or higher and test template injection attempts are properly blocked📡 Detection & Monitoring
Log Indicators:
- Unusual FreeMarker template errors
- Requests containing FreeMarker expression syntax (${, @, #)
- Unexpected file read or write operations
Network Indicators:
- HTTP requests with FreeMarker payloads in parameters
- Unusual outbound connections from application server
SIEM Query:
source="web_logs" AND ("${.*}" OR "@.*" OR "#.*") AND status=200