CVE-2025-25362: Spacy-LLM Server-Side Template Injection (SSTI) vulnerability

March 5, 2025 (updated March 6, 2025)

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

References

github.com/advisories/GHSA-793v-gxfp-9q9h
github.com/explosion/spacy-llm
github.com/explosion/spacy-llm/commit/8bde0490cc1e9de9dd2e84480b7b5cd18a94d739
github.com/explosion/spacy-llm/issues/492
github.com/explosion/spacy-llm/pull/491
nvd.nist.gov/vuln/detail/CVE-2025-25362

Detect and mitigate CVE-2025-25362 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →