Executive Summary

CVE-2025-70073 is a Server-Side Template Injection (SSTI) vulnerability in ChestnutCMS versions up to 1.5.8. It occurs because the system allows users with template creation or editing permissions to save arbitrary FreeMarker expressions into template files without proper sandboxing or security restrictions.

When these templates are rendered by the CoreController on certain routes, such as /cms/preview/*, the malicious FreeMarker expressions are executed. Attackers can use the ${...} syntax to insert payloads that execute arbitrary template code.

If the FreeMarker configuration permits method execution, this can lead to remote code execution on the server, depending on the deployment environment and JVM security policies.

The exploitation involves creating or editing templates at /admin/configs/template, assigning the malicious template to a site at /admin/configs/site, and previewing the site to trigger the vulnerable rendering.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with template editing permissions to execute arbitrary code on the server hosting ChestnutCMS.

Remote code execution can lead to full compromise of the server, including unauthorized access to data, modification or deletion of content, installation of malware, or use of the server as a pivot point for further attacks.

The impact depends on the deployment environment and security policies but can be severe, potentially affecting the confidentiality, integrity, and availability of the system and its data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of arbitrary FreeMarker expressions in templates created or edited via the administrator backend, especially those using the ${...} syntax.'}, {'type': 'paragraph', 'content': 'Specifically, you can audit templates in the /admin/configs/template section for suspicious FreeMarker code that could be executed during rendering.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP requests to routes like /cms/preview/* and /admin/configs/template for unusual or unexpected template creation or preview actions can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided, you can use commands to search for suspicious template content on the server, for example:'}, {'type': 'list_item', 'content': "grep -r '\\${.*}' /path/to/chestnutcms/templates/"}, {'type': 'list_item', 'content': 'Check web server logs for POST or PUT requests to /admin/configs/template or /admin/configs/site endpoints that include suspicious template code.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the template creation and editing functions in the administrator backend to trusted users only.

Avoid allowing untrusted users to create or edit templates, as this is the vector for exploitation.

If possible, disable or restrict the rendering of templates that contain arbitrary FreeMarker expressions, or apply sandboxing to the FreeMarker template engine to prevent execution of unsafe expressions.

Monitor and audit template changes and site previews closely for suspicious activity.

Finally, update ChestnutCMS to a version later than 1.5.8 once a patch is available to fully resolve the vulnerability.

Useful 0 Not Useful 0