CVE-2025-64087 – A Server-Side Template Injection (SSTI) vulnera... (How to Fix)

Q: What is the severity of CVE-2025-64087?

CVE-2025-64087 has a CVSS score of 9.8 (CRITICAL). A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport allows attackers to execute arbitrary code by injecting malicious template expressions. This affects applications using XDocReport versions 1.0.0 through 2.1.0 for document generation. Attackers can achieve remote code execution with the privileges of the application server.

📋 TL;DR

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport allows attackers to execute arbitrary code by injecting malicious template expressions. This affects applications using XDocReport versions 1.0.0 through 2.1.0 for document generation. Attackers can achieve remote code execution with the privileges of the application server.

💻 Affected Systems

Products:

opensagres XDocReport

Versions: v1.0.0 to v2.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using XDocReport's FreeMarker template engine for document generation are vulnerable. The vulnerability exists in the template processing functionality.

📦 What is this software?

Xdocreport by Opensagres

View all CVEs affecting Xdocreport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available. Exploitation requires the ability to inject template expressions into FreeMarker templates processed by XDocReport.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.1 or later

Vendor Advisory: https://github.com/opensagres/xdocreport/pull/705

Restart Required: Yes

Instructions:

1. Update XDocReport dependency to version 2.1.1 or later. 2. Update pom.xml or build.gradle to reference the patched version. 3. Rebuild and redeploy the application. 4. Restart the application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject any template expressions containing potentially dangerous characters or patterns.

FreeMarker Sandbox Configuration

all

Configure FreeMarker with restricted template loading and execution sandbox to limit template capabilities.

ConfigurationBean cfg = new ConfigurationBean();
cfg.setTemplateExceptionHandler(TemplateExceptionHandler.RETHROW_HANDLER);
cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block SSTI payloads targeting FreeMarker templates.
Isolate the vulnerable application in a network segment with strict outbound traffic controls and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if your application uses XDocReport version 1.0.0 through 2.1.0 by examining dependency files (pom.xml, build.gradle) or running 'mvn dependency:tree' or 'gradle dependencies'.

Check Version:

mvn dependency:tree | grep xdocreport OR gradle dependencies | grep xdocreport

Verify Fix Applied:

Verify that XDocReport version is 2.1.1 or higher in your dependency management files and that the application has been rebuilt and redeployed.

📡 Detection & Monitoring

Log Indicators:

Unusual template processing errors
FreeMarker exceptions containing user input
Unexpected system command execution in logs
Outbound connections from application server to unknown IPs

Network Indicators:

HTTP requests containing FreeMarker template expressions in parameters
Unusual outbound traffic patterns from the application server

SIEM Query:

source="application.logs" AND ("freemarker.template" OR "xdocreport") AND ("exec" OR "Runtime.getRuntime" OR "ProcessBuilder")

📊 Metadata

CVE ID: CVE-2025-64087

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.09% exploit probability (25.6th percentile)

Published: January 20, 2026

Last Updated: February 3, 2026

🔗 References

https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI- Broken Link
https://github.com/opensagres/xdocreport Product
https://github.com/opensagres/xdocreport/pull/705 Issue Tracking,Third Party Advisory
https://hackmd.io/@cuongnh/BJEnw7SAlg Permissions Required
https://hackmd.io/@cuongnh/SkQvhEf0lx Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64087, you might also want to check these: