CVE-2025-23211
Tandoor Recipes - SSTI - Remote Code Execution
In short
Tandoor Recipes has a vulnerability that lets any user run dangerous code on the server through a template injection flaw. This can give attackers complete control of the application and the computer running it.
Technical detail
A Jinja2 Server-Side Template Injection (SSTI) vulnerability in Tandoor Recipes allows authenticated or unauthenticated users to inject malicious template code, leading to arbitrary command execution with the privileges of the application process (potentially root in containerized deployments). The vulnerability exists in template processing without proper input sanitization.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/TandoorRecipes/recipes/blob/4f9bff20c858180d0f7376de443a9fe4c123a50c/cookbook/helper/template_helper.py#L95https://github.com/TandoorRecipes/recipes/commit/e6087d5129cc9d0c24278948872377e66c2a2c20https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-r6rj-h75w-vj8v