The problem still has to be fixed, although there are solutions available.

Pebble, a Java templating engine, had a weakness that might let attackers get beyond its security safeguards. Framework Pebble vulnerable can launch command injection attacks against host servers.

The Pebble Templates’ user-friendly web application templating system, support for internationalization, and security features. The security features like auto-escaping and a block-list method access validator that guards against command execution vulnerabilities make it practical.

However, a security researcher has discovered that with the right code and template files, Pebble’s command execution defense can be defeated.

Bypassing Pebble security

When Pebble is combined with Spring, a well-liked Java application framework, the bypass is effective. Many Spring classes can be dynamically loaded at runtime since they are registered as beans.

The attacker can load one of the Spring objects that supports class loading by using the Java beans engine.

The specification of a class to instantiate and a function to perform is then read from an XML file using the Jackson, a data-parsing library. This gives the attacker a chance to run any code they want on the server.

As a proof of concept, the researcher loaded an XML file from the internet using a Pebble template, then instantiated a Java class that supported executing server-side system instructions.

No easy fix yet

There is a discussion about the bug report on GitHub. Due to the vulnerability’s CVE designation, business systems that rely on the most recent Pebble release are receiving security alerts.

It is unclear when the repair will be issued because it is a community-driven project, but the developers are working on a fix. A few fixes have been offered by the maintainers to safeguard projects in the interim.

It’s important to note that in order to take advantage of the flaw, a hacker would need a mechanism to submit a malicious Pebble template to the server. A defense strategy would therefore be to tighten security controls on user-provided content and limit template submissions.