Mitigate Velocity SSTI by enabling SecureUberspector and restricting …#723
Conversation
|
Hi @kevinleturc , Angelo mentioned that you might be able to review this PR if you have time. This PR addresses a potential SSTI issue in the Velocity template engine used by XDocReport and introduces additional protections (SecureUberspector configuration and class access restrictions). I would really appreciate it if you could take a look when convenient. Thank you! |
|
Hello @AT190510-Cuong, yes sure I will have a look as soon as possible. |
|
Hi @kevinleturc , Thanks for your response. I did report this issue to MITRE. However, they marked it as a duplicate of CVE-2025-64087, which is associated with FreeMarker. In my opinion, this issue also affects the Velocity template engine used in XDocReport, but it is not currently tracked as a separate CVE for Velocity. The root cause is similar (server-side template injection), but the exploitation and mitigations are specific to Velocity (e.g., SecureUberspector and class access restrictions). So at the moment, there is no dedicated CVE covering the Velocity side of this issue. Please let me know if you think this should be tracked separately. Thanks! |
kevinleturc
left a comment
kevinleturc
left a comment
There was a problem hiding this comment.
Changes look good to me, I will fixup the commits and merge.
…dangerous classes
kevinleturc
force-pushed
the
fix-ssti-v2
branch
from
6316a0e to
b99cc15
Compare
2 participants
This patch mitigates a Server-Side Template Injection (SSTI) risk in the
Velocity template engine configuration.
The change enables SecureUberspector and restricts access to sensitive
Java classes and reflection-related packages that could be abused to
reach Runtime execution through template expressions.
This approach aligns with the security hardening already applied to
FreeMarker templates in the project.