Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1qdjd4LXhodjItcDV2Ms4ABKHm

Critical EPSS: 0.16492% (0.94587 Percentile) EPSS:
Permalink JSON

LaRecipe is vulnerable to Server-Side Template Injection attacks

Affected Packages Affected Versions Fixed Versions
packagist:binarytorch/larecipe < 2.8.1 2.8.1
16 Dependent packages
274 Dependent repositories
2,363,974 Downloads total

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.8.0

All unaffected versions

2.8.1

Impact

Attackers could:

  1. Execute arbitrary commands on the server
  2. Access sensitive environment variables
  3. Escalate access depending on server configuration

A critical vulnerability was discovered in LaRecipe that allows an attacker to perform Server-Side Template Injection (SSTI), potentially leading to Remote Code Execution (RCE) in vulnerable configurations.

Patches

Users are strongly advised to upgrade to version v2.8.1 or later.

Credit

We would like to thank Roman Ananev for responsibly identifying and reporting this vulnerability.

References:

Identifiers

GHSA-jv7x-xhv2-p5v2

CVE-2025-53833

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.16492

EPSS Percentile: 0.94587

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/saleem-hadad/larecipe

Date and time

Published

15 days ago

Updated

about 17 hours ago

API

JSON