Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-59340— jinjava Sandbox Bypass via JavaType-Based Deserialization

CVSS 9.8 · Critical EPSS 0.95% · P76
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-59340

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
jinjava Sandbox Bypass via JavaType-Based Deserialization
Source: NVD (National Vulnerability Database)
Vulnerability Description
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1336
Source: NVD (National Vulnerability Database)
Vulnerability Title
HubSpot Jinjava 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
HubSpot Jinjava是美国HubSpotn个人开发者的一个应用软件。提供基于Java的模板模板引擎,基于Django模板语法,适用于呈现jinja模板。 HubSpot Jinjava 2.8.1之前版本存在安全漏洞,该漏洞源于允许反序列化攻击者控制的输入,可能导致沙箱逃逸和远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
HubSpotjinjava < 2.8.1 -

II. Public POCs for CVE-2025-59340

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-59340

登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: jinjava
Same vendor: HubSpot
Same weakness: CWE-1336

V. Comments for CVE-2025-59340

No comments yet

Leave a comment