Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Critical sandbox bypass vulnerability in HubSpot Jinjava can lead to remote code execution. Patch Immediately!
Image
Veröffentlicht : 19/09/2025
* Last update: 19/09/2025
* Affected products:
→ HubSpot Jinjava* Type: Sandbox escape possibly leading to remote code execution
* CVE/CVSS:
- CVE-2025-59340: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
HubSpot - https://github.com/HubSpot/jinjava/security/advisories/GHSA-m49c-g9wr-hv6v
Risks
In September 2025, HubSpot released an advisory concerning jinjava templates. There is a critical flaw in jinjava that could be exploited to escape the jinjava sandbox. In certain circumstances, this may lead to remote code execution.
Jinjava is HubSpot’s open source template engine. It is used by thousands of CMS (content management systems), email template renderers and custom web applications. Jinjava underpins critical rendering operations in HubSpot’s CMS ecosystem. With its widespread use in enterprise and marketing websites, the risk of sandbox escapes leading to data breaches, SSRF exploitation, and system takeover is high.
There is at this time no report of active exploitation (cut-off date: 19 September 2025).
Exploitation of this vulnerability can have high impact on confidentiality, integrity and availability.
Description
CVE-2025-59340 is a critical sandbox bypass via JavaType-based deserialization vulnerability in HubSpot Jinjava templates. This can be leveraged by a remote threat actor to read arbitrary files and perform a full read SSRF (server-side request forgery) by creating network-related objects. In addition, in certain environments, depending on the available classes, this primitive can even lead to complete remote code execution.
Jinjava’s sandbox restrictions can be bypassed by an attacker as they deserialize attacker-controlled input into arbitrary classes in order to create semi-arbitrary class instances without directly invoking restricted methods or class literals.
More specifically, jinjava templates expose a built-in variable int3rpr3t3r, which provides direct access to the jinjavaInterpreter instance. From int3rpr3t3r, it is possible to traverse to the config field, which exposes an ObjectMapper. By invoking readValue(String content, JavaType valueType) on this ObjectMapper, an attacker can instantiate arbitrary classes specified via JavaType. Since the JavaType class itself is not restricted, an attacker can leverage JavaType construction (constructFromCanonical) to instantiate semi-arbitrary classes without directly calling restricted methods.
In this way, an attacker can escape the sandbox and access local files and URLs or launch SSRF attacks. With further chaining, this primitive can lead to remote code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
The CCB recommends auditing template code for any direct or indirect use of int3rpr3t3r.
References
Cybersecurity News - https://cybersecuritynews.com/hubspots-jinjava-engine-vulnerability/
Security Online - https://securityonline.info/cve-2025-59340-critical-hubspots-jinjava-engine-flaw-exposes-thousands-of-websites-to-rce/