Description
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.

Workaround

This vulnerability can be mitigated by disabling the include macro in Pebble Templates:

java
new PebbleEngine.Builder()
.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
.disallowedTokenParserTags(List.of("include"))
.build())
.build();
Published: 2025-02-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local file read via path traversal
Action: Patch or Disable
AI Analysis

Impact

The vulnerability in Pebble Templates arises from the ability of the include tag to resolve external file paths without properly sanitizing the input. An attacker who can supply or influence templated content can craft a malicious notification template that references arbitrary file paths such as /etc/passwd or /proc/1/environ. The result is that privileged application users gain read access to sensitive local files, exposing configuration data, credentials, or environment variables, potentially facilitating further compromise. This defect is classified as CWE‑73, External Control of File Name or Path.

Affected Systems

Affected systems are applications that incorporate the Pebble library (io.pebbletemplates:pebble) in versions 0 and up to, but not including, 4.1.0. The vulnerable code resides in the include tag functionality of the Pebble Engine. Any deployment that utilizes the default engine or an unmodified custom engine may expose the flaw.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of < 1% suggests a low probability of exploitation at the time of analysis, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is application‑level: an adversary must be able to supply or modify template content that the application renders. High‑privileged application execution is required to read sensitive local files, but once an attacker can inject a malicious template, the included file contents are returned in the rendered output, enabling data exfiltration.

Generated by OpenCVE AI on April 20, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pebble to version 4.1.0 or later to eliminate the include‑tag path traversal flaw.
  • If upgrading is not feasible, disable the include tag by configuring the Pebble Engine with a DisallowExtensionCustomizerBuilder and listing "include" in the disallowed token parser tags.
  • Restrict template sources to trusted directories and validate any external input before rendering to prevent malicious templates from gaining file inclusion capabilities.

Generated by OpenCVE AI on April 20, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5321 Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro
Github GHSA Github GHSA GHSA-p75g-cxfj-7wrx Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro
History

Sun, 19 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build(); Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
References

Fri, 19 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pebbletemplates
Pebbletemplates pebble
CPEs cpe:2.3:a:pebbletemplates:pebble:*:*:*:*:*:*:*:*
Vendors & Products Pebbletemplates
Pebbletemplates pebble

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Feb 2025 13:45:00 +0000

Type Values Removed Values Added
Title io.pebbletemplates:pebble: Path Traversal Vulnerability in Pebble Templates
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 27 Feb 2025 05:15:00 +0000

Type Values Removed Values Added
Description All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P'}

Subscriptions

Pebbletemplates Pebble
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-04-19T07:54:57.303Z

Reserved: 2025-02-25T10:32:01.608Z

Link: CVE-2025-1686

cve-icon Vulnrichment

Updated: 2025-12-19T16:08:39.301Z

cve-icon NVD

Status : Modified

Published: 2025-02-27T05:15:14.143

Modified: 2026-04-29T01:00:01.613

Link: CVE-2025-1686

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-27T05:00:05Z

Links: CVE-2025-1686 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses