Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-25362 Vulnerability Type: Server-Side Template Injection (SSTI) Affected Versions: spaCy v8.0.0 to v9.7.2 Impact Scope: Allows attackers to execute arbitrary code via malicious code injection Vulnerability Details Description: The template engine in spaCy contains a security flaw when processing user input, enabling attackers to inject malicious code using specific template syntax. Example Code: Key Point: The default template uses , which allows attackers to inject malicious code by controlling the variable. Impact Severity: High Potential Risk: Attackers can exploit this vulnerability to execute arbitrary code, leading to Remote Code Execution (RCE). Mitigation Measures Official Patch: Developers have released a fixed version; users are advised to upgrade to the latest version. Workarounds: Disable or restrict template engine functionality in production environments, and avoid directly using user input to generate templates. Conclusion This vulnerability poses a significant threat to systems using spaCy, especially those relying on template engine features. Timely updates and security measures are essential to prevent exploitation.