Impact Analysis

Successful exploitation of this vulnerability can lead to remote code execution on the server running Datart. Attackers can execute arbitrary system commands or load malicious Java bytecode, potentially resulting in full system compromise.

This means attackers could gain unauthorized control over the server, access sensitive data, disrupt services, or use the compromised system as a foothold to attack other parts of the network.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

CVE-2025-70830 is a Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine used by Datart version v1.0.0-rc.3. It allows authenticated attackers to inject malicious Freemarker template syntax into the SQL script field, which the server then executes. This improper handling of user input enables attackers to execute arbitrary system commands or load malicious Java bytecode on the server hosting Datart.

The vulnerability arises because the Freemarker engine processes user input directly in the SQL script/query editor without proper sanitization, allowing attackers with access to edit SQL scripts to run arbitrary code remotely.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by injecting crafted Freemarker template payloads into the SQL script/query editor and observing if the server executes arbitrary commands. For example, injecting a payload that runs the 'id' command can confirm exploitation."}, {'type': 'paragraph', 'content': 'A sample payload to test is: <# assign ob="freemarker.template.utility.ObjectConstructor"?new() > <# assign pb=ob("java.lang.ProcessBuilder",["bash","-c","id" ])> ${pb.start()} SELECT 1'}, {'type': 'paragraph', 'content': 'Detection can also be performed by sending an HTTP POST request to the API endpoint `/api/v1/data-provider/execute/test` with a JSON body containing the malicious Freemarker payload in the `script` field, along with a valid authorization token.'}, {'type': 'paragraph', 'content': 'More generally, fuzzing inputs with special characters used in template syntax and observing server responses or errors can help detect SSTI vulnerabilities. Tools like Burp Suite can automate this process.'}, {'type': 'paragraph', 'content': "Testing includes injecting template syntax such as `{{7*'7'}}` or other engine-specific payloads to identify the template engine and confirm server-side evaluation."}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the SQL script editing functionality to only trusted and necessary users.

Sanitize or disable Freemarker template processing in user-controllable fields, especially the SQL script/query editor, to prevent injection of malicious template syntax.

Update Datart to a patched version or apply vendor-provided fixes that address this vulnerability.

Additional prevention strategies include disallowing user modifications to templates, using logic-less template engines, sandboxing template execution environments, and deploying templates within isolated containers to limit impact.

Useful 0 Not Useful 0