CVE-2025-67898
📋 TL;DR
MJML versions through 4.18.0 contain a directory traversal vulnerability in the mj-include component, allowing attackers to test for file existence and read files when type="css" is specified. This affects any application using vulnerable MJML versions to process untrusted MJML templates. The vulnerability results from an incomplete fix for CVE-2020-12827.
💻 Affected Systems
- MJML
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive server files including configuration files, source code, or credentials, potentially leading to further system compromise.
Likely Case
Information disclosure of server files, potentially exposing configuration details or application source code.
If Mitigated
Limited impact if proper input validation and file access controls are implemented.
🎯 Exploit Status
Exploitation requires ability to submit MJML templates to a vulnerable parser. The GitHub issue includes proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.19.0 or later
Vendor Advisory: https://github.com/mjmlio/mjml/issues/3018
Restart Required: No
Instructions:
1. Update MJML package to version 4.19.0 or later using npm update mjml. 2. Verify the update with npm list mjml. 3. Test MJML template processing functionality.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict validation of mj-include paths to prevent directory traversal sequences
Implement path normalization and validation in your MJML processing code
Restrict file access permissions
linuxConfigure server to restrict file system access for the MJML processing service
chmod 750 /path/to/restricted/directories
Set appropriate user/group permissions
🧯 If You Can't Patch
- Implement strict input validation to reject MJML templates containing directory traversal sequences in mj-include paths
- Run MJML processing in a sandboxed environment with restricted file system access
🔍 How to Verify
Check if Vulnerable:
Check MJML version with npm list mjml or examine package.json. Versions ≤4.18.0 are vulnerable.Check Version:
npm list mjml | grep mjmlVerify Fix Applied:
Confirm MJML version is ≥4.19.0 and test with known malicious MJML templates containing directory traversal in mj-include.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file access attempts with directory traversal patterns
- Unusual file read operations from MJML processing service
Network Indicators:
- HTTP requests containing MJML with suspicious mj-include paths
- Patterns like '../../' in template submissions
SIEM Query:
source="mjml" AND (path="*../*" OR path="*..\\*")