Server-Side Template Injection Vulnerability in LaRecipe by Saleem Hadad
CVE-2025-53833

10CRITICAL

Key Information:

Vendor

Saleem-hadad

Status
Larecipe
Vendor
CVE Published:
14 July 2025

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 2,740πŸ‘Ύ Exploit Exists🟣 EPSS 21%πŸ“° News Worthy

What is CVE-2025-53833?

CVE-2025-53833 is a significant vulnerability found in LaRecipe, a web application designed for creating documentation using Markdown within a Laravel framework. The vulnerability manifests as a Server-Side Template Injection (SSTI) flaw, which allows malicious actors to execute arbitrary code on the server. If exploited, attackers could leverage this weakness to gain unauthorized access to sensitive server resources and environment variables, potentially leading to serious security incidents. The affected versions of LaRecipe are those prior to 2.8.1, which means organizations using older versions are at heightened risk unless they upgrade to the patched release. This vulnerability highlights the essential need for regular updates to mitigate threats posed by coding errors that facilitate unauthorized command execution.

Potential Impact of CVE-2025-53833

  1. Remote Code Execution (RCE): The most significant risk posed by CVE-2025-53833 is the potential for remote code execution. Attackers who exploit this vulnerability can run arbitrary commands on the server, which can lead to a complete takeover of affected systems.

  2. Access to Sensitive Information: Exploiting the vulnerability may allow hackers to access sensitive environment variables and configurations within the server. This could include credentials and API keys, leading to further compromises or data breaches.

  3. Access Escalation: Depending on server configurations, attackers may escalate their privileges after exploiting this vulnerability, gaining higher levels of access that can facilitate more extensive attacks or lateral movement within a network.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

larecipe < 2.8.1

News Articles

favicon imageGBHackers News

LaRecipe Tool with 2.3M Downloads Found Vulnerable to Full Server Takeover

A critical security vulnerability has been discovered in LaRecipe, a popular Laravel documentation package with over 2.3 million downloads, that could allow attackers to completely compromise affected servers.

favicon imageVulDB

CVE-2025-53833 saleem-hadad larecipe special elements used in a template engine (GHSA-jv7x-xhv2-p5v2)

A vulnerability was found in saleem-hadad larecipe up to 2.8.0. It has been classified as critical. This vulnerability is traded as CVE-2025-53833. It is recommended to upgrade the affected component.

References

https://github.com/saleem-hadad/larecipe/security/advisor...
x_refsource_CONFIRM
https://github.com/saleem-hadad/larecipe/pull/390
x_refsource_MISC
https://github.com/saleem-hadad/larecipe/commit/c1d0d5688...
x_refsource_MISC

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by VulDB

  • Vulnerability published

  • Vulnerability Reserved

JSON
.