CVE-2025-49136: listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user

June 9, 2025 (updated June 10, 2025)

The env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on the host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables.

Upgrade to v5.0.2 to mitigate.

References

github.com/advisories/GHSA-jc7g-x28f-3v3h
github.com/knadh/listmonk
github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e
github.com/knadh/listmonk/releases/tag/v5.0.2
github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h
nvd.nist.gov/vuln/detail/CVE-2025-49136

Code Behaviors & Features

Detect and mitigate CVE-2025-49136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →