CVE-2025-64087: XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability
(updated )
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.
References
- github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
- github.com/advisories/GHSA-r8w2-w357-9pjv
- github.com/opensagres/xdocreport
- github.com/opensagres/xdocreport/commit/3b35d105e5ae2006bcaa2b07563188efc466711d
- github.com/opensagres/xdocreport/pull/705
- hackmd.io/@cuongnh/BJEnw7SAlg
- hackmd.io/@cuongnh/SkQvhEf0lx
- nvd.nist.gov/vuln/detail/CVE-2025-64087
Code Behaviors & Features
Detect and mitigate CVE-2025-64087 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →