Thymeleaf Expression Execution Vulnerability Leading to Server-Side Template Injection

A security bypass vulnerability has been identified in Thymeleaf, a Java template engine, in versions through 3.1.3.RELEASE. This vulnerability arises from improper neutralization of certain syntax patterns in the expression execution mechanisms, allowing for unauthorized expressions to be executed. Although Thymeleaf provides safeguards against expression injection, these protections can be bypassed if application developers pass unvalidated user input directly to the template engine. This creates an opportunity for unauthenticated remote attackers to exploit the vulnerability, leading to Server-Side Template Injection (SSTI).

Impact

Exploitation of this vulnerability allows for Server-Side Template Injection (SSTI), where an attacker can execute arbitrary expressions on the server, potentially leading to remote code execution or other malicious actions, depending on the application's context.

Remediation

Users are advised to upgrade to Thymeleaf version 3.1.4.RELEASE or later. For applications using Thymeleaf with Spring, the same version upgrade applies to the 'thymeleaf-spring5' and 'thymeleaf-spring6' packages.