CVE-2025-1686: Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro
If untrusted user input is used to dynamically create a PebbleTemplate with the method PebbleEngine#getLiteralTemplate, then an attacker can include arbitrary local files from the file system into the generated template, leaking potentially sensitive information into the output of PebbleTemplate#evaluate. This is done via the include macro.
References
- github.com/JLLeitschuh/security-research/security/advisories/GHSA-p75g-cxfj-7wrx
- github.com/PebbleTemplates/pebble
- github.com/PebbleTemplates/pebble/issues/680
- github.com/PebbleTemplates/pebble/issues/688
- github.com/advisories/GHSA-p75g-cxfj-7wrx
- nvd.nist.gov/vuln/detail/CVE-2025-1686
- pebbletemplates.io/wiki/tag/include
- security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
Detect and mitigate CVE-2025-1686 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →