dotCMS Velocity Engine Sandbox Escape Vulnerability Allowing Arbitrary Code Execution

A critical sandbox escape vulnerability has been identified in dotCMS's Velocity scripting engine (VTools). This vulnerability allows authenticated users with scripting privileges to bypass class and package restrictions imposed by SecureUberspectorImpl. By dynamically altering the Velocity engine's runtime configuration and reinitializing its Uberspect, a malicious actor can eliminate the introspector.restrict.classes and introspector.restrict.packages protections. Once these restrictions are removed, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute system commands under the application's process privileges, such as the dotCMS or Tomcat user.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Java classes and execution of arbitrary system commands under the application's process privileges.

Remediation

Users can update to dotCMS versions LTS 25.07.10 or 24.12.27, where this vulnerability has been patched. Until then, it is recommended to disable or restrict access to the '/api/vtl/dynamic' endpoint, '$context.getVelocityEngine()' in templates, and scripting privileges for non-admin users.