Deserialization Vulnerability in Jinjava by HubSpot
CVE-2025-59340

9.8CRITICAL

Key Information:

Vendor

Hubspot

Status
Jinjava
Vendor
CVE Published:
17 September 2025

What is CVE-2025-59340?

A deserialization vulnerability in Jinjava, a Java-based template engine from HubSpot, allows attackers to manipulate object deserialization processes. By exploiting an improper configuration in versions prior to 2.8.1, an attacker could instruct the ObjectMapper to deserialize controlled input into arbitrary classes. This flaw can lead to the instantiation of sensitive classes, including java.net.URL, permitting unauthorized access to local files and remote resources. This risk opens a pathway for potential remote code execution, enabling further exploits. The vulnerability has been addressed in version 2.8.1.

Affected Version(s)

jinjava < 2.8.1

References

https://github.com/HubSpot/jinjava/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/HubSpot/jinjava/commit/66df351e7e8ad71...
x_refsource_MISC
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59340 : Deserialization Vulnerability in Jinjava by HubSpot