CVE-2025-49136
BaseFortify
Publication date: 2025-06-09
Last updated on: 2025-07-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nadh | listmonk | From 4.0.0 (inc) to 5.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49136 is a critical security vulnerability in listmonk versions 4.0.0 through 5.0.1 that affects multi-user installations. It arises because the Sprig template functions `env` and `expandenv` are enabled by default, allowing users with campaign or template permissions (but not super-admin) to use template expressions like `{{ env "VARIABLE_NAME" }}` to access sensitive environment variables on the host system. This can expose critical information such as database credentials, SMTP passwords, and admin credentials. The vulnerability is fixed in version 5.0.2 by disabling these dangerous template functions. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive environment variables by non-super-admin users with limited permissions. Attackers can extract critical system information such as database credentials and passwords, potentially leading to full system compromise, data breaches, and unauthorized access to administrative functions. The impact includes high confidentiality, integrity, and availability risks. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your listmonk installation is running a vulnerable version (4.0.0 through 5.0.1) and if unprivileged users with campaign or template permissions can inject template expressions like `{{ env "VARIABLE_NAME" }}` in campaign content previews to access environment variables. There are no specific network or system commands provided to detect exploitation directly. However, you can verify the listmonk version by running `./listmonk --version` or checking the deployed Docker image tag. Additionally, monitoring logs for unusual template expressions or access patterns by non-super-admin users might help detect exploitation attempts. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade listmonk to version 5.0.2 or later, where the dangerous Sprig template functions `env` and `expandenv` are disabled by default. For a standard installation, back up your database, replace the listmonk binary with the v5.0.2 version, run the upgrade command `./listmonk --upgrade`, and restart the application. For Docker deployments, stop the containers, pull the latest image, run the upgrade command inside the container, and restart the services. This update removes the vulnerable template functions and prevents unauthorized access to environment variables. [1]