CVE-2025-25362: Spacy-LLM Server-Side Template Injection (SSTI) vulnerability
(updated )
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.
References
- github.com/advisories/GHSA-793v-gxfp-9q9h
- github.com/explosion/spacy-llm
- github.com/explosion/spacy-llm/commit/8bde0490cc1e9de9dd2e84480b7b5cd18a94d739
- github.com/explosion/spacy-llm/issues/492
- github.com/explosion/spacy-llm/pull/491
- nvd.nist.gov/vuln/detail/CVE-2025-25362
- www.hacktivesecurity.com/blog/2025/04/01/cve-2025-25362-old-vulnerabilities-new-victims-breaking-llm-prompts-with-ssti
Code Behaviors & Features
Detect and mitigate CVE-2025-25362 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →