Skip to content

CVE-2025-1686 #715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ebussieres merged 7 commits into from
Dec 11, 2025
Merged

CVE-2025-1686 #715

ebussieres merged 7 commits into from
Dec 11, 2025

Conversation

@ebussieres
Copy link
Member

@ebussieres ebussieres commented Nov 23, 2025
edited
Loading

Fixes: #688 #689

  1. Remove FileLoader by default in PebbleEngine. Only ClasspathLoader will be used by default now
  2. Modify the FileLoader and add a mandatory baseDirectory parameter.
  3. Protect from path traversal

@ebussieres ebussieres added this to the 4.0.1 milestone Nov 23, 2025
@ebussieres ebussieres mentioned this pull request Nov 23, 2025
Closed
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 5 times, most recently from 7989332 to 5fc9897 Compare November 23, 2025 15:31
@ebussieres ebussieres marked this pull request as draft November 23, 2025 18:10
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 4 times, most recently from 7a58105 to c073576 Compare November 25, 2025 17:42
@ebussieres ebussieres mentioned this pull request Nov 26, 2025
Closed
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 4 times, most recently from 8625076 to f9e1898 Compare November 27, 2025 14:28
@ebussieres ebussieres marked this pull request as ready for review November 27, 2025 14:31
@ebussieres ebussieres changed the title chore: remove method getLiteralTemplate and use only a ClasspathLoade… CVE-2025-1686 Nov 27, 2025
@ebussieres ebussieres linked an issue Dec 7, 2025 that may be closed by this pull request
CVE-2025-1686 vulnerability #689
Closed
@ebussieres ebussieres force-pushed the CVE-2025-1686 branch 2 times, most recently from a08ce56 to e2e16fa Compare December 10, 2025 17:08
@ebussieres ebussieres enabled auto-merge (squash) December 11, 2025 18:41
@ebussieres ebussieres merged commit b3451c8 into master Dec 11, 2025
6 checks passed
@ebussieres ebussieres deleted the CVE-2025-1686 branch December 11, 2025 18:43
JLLeitschuh
JLLeitschuh reviewed Dec 15, 2025
View reviewed changes
@JLLeitschuh
Copy link

JLLeitschuh commented Dec 15, 2025

Sorry for not leaving these comments earlier, something was broken in GitHub's mobile app when I was attempting to submit them

@ebussieres
Copy link
Member Author

ebussieres commented Dec 15, 2025
edited
Loading

@JLLeitschuh Don't know the procedure to flag the CVE as fixed ? Can you help me with that ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@JLLeitschuh JLLeitschuh JLLeitschuh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.1.0

3 participants

@ebussieres @JLLeitschuh