CVE-2025-70830
Server-Side Template Injection in Datart Freemarker Enables Code Execution
Publication date: 2026-02-17
Last updated on: 2026-02-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| datart | datart | 1.0.0-rc.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to remote code execution on the server running Datart. Attackers can execute arbitrary system commands or load malicious Java bytecode, potentially resulting in full system compromise.
This means attackers could gain unauthorized control over the server, access sensitive data, disrupt services, or use the compromised system as a foothold to attack other parts of the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2025-70830 is a Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine used by Datart version v1.0.0-rc.3. It allows authenticated attackers to inject malicious Freemarker template syntax into the SQL script field, which the server then executes. This improper handling of user input enables attackers to execute arbitrary system commands or load malicious Java bytecode on the server hosting Datart.
The vulnerability arises because the Freemarker engine processes user input directly in the SQL script/query editor without proper sanitization, allowing attackers with access to edit SQL scripts to run arbitrary code remotely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by injecting crafted Freemarker template payloads into the SQL script/query editor and observing if the server executes arbitrary commands. For example, injecting a payload that runs the 'id' command can confirm exploitation."}, {'type': 'paragraph', 'content': 'A sample payload to test is: <# assign ob="freemarker.template.utility.ObjectConstructor"?new() > <# assign pb=ob("java.lang.ProcessBuilder",["bash","-c","id" ])> ${pb.start()} SELECT 1'}, {'type': 'paragraph', 'content': 'Detection can also be performed by sending an HTTP POST request to the API endpoint `/api/v1/data-provider/execute/test` with a JSON body containing the malicious Freemarker payload in the `script` field, along with a valid authorization token.'}, {'type': 'paragraph', 'content': 'More generally, fuzzing inputs with special characters used in template syntax and observing server responses or errors can help detect SSTI vulnerabilities. Tools like Burp Suite can automate this process.'}, {'type': 'paragraph', 'content': "Testing includes injecting template syntax such as `{{7*'7'}}` or other engine-specific payloads to identify the template engine and confirm server-side evaluation."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the SQL script editing functionality to only trusted and necessary users.
Sanitize or disable Freemarker template processing in user-controllable fields, especially the SQL script/query editor, to prevent injection of malicious template syntax.
Update Datart to a patched version or apply vendor-provided fixes that address this vulnerability.
Additional prevention strategies include disallowing user modifications to templates, using logic-less template engines, sandboxing template execution environments, and deploying templates within isolated containers to limit impact.