Thymeleaf Expression Execution Security Bypass Vulnerability Allowing Server-Side Template Injection

A security bypass vulnerability has been identified in Thymeleaf, a Java template engine, in versions prior to 3.1.5.RELEASE. This vulnerability arises in the expression execution mechanisms, where the library inadequately neutralizes certain constructs that could allow the execution of potentially dangerous expressions, particularly in sandboxed contexts. If an application developer inputs unsanitized variables containing such expressions into the template engine, these can be executed within the templates, leading to Server-Side Template Injection (SSTI).

Impact

Exploitation of this vulnerability allows for Server-Side Template Injection (SSTI), where an attacker can execute arbitrary expressions on the server, potentially leading to remote code execution or other malicious actions, depending on the application's context.

Remediation

Users are advised to upgrade to Thymeleaf version 3.1.5.RELEASE. For those using Thymeleaf with Spring, the same version should be applied. No additional workarounds are available, but it is crucial to ensure that unvalidated or unsanitized data is not passed directly to the template engine.