Skip to content

listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user

Critical severity GitHub Reviewed Published Jun 8, 2025 in knadh/listmonk • Updated Jun 9, 2025

Package

gomod github.com/knadh/listmonk (Go)

Affected versions

>= 4.0.0, < 5.0.2

Patched versions

5.0.2

Description

Summary

The env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on the host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables.

Upgrade to v5.0.2 to mitigate.

Demonstration

Description

A critical template injection vulnerability exists in Listmonk's campaign preview functionality that allows authenticated users with minimal privileges (campaigns:get & campaigns:get_all) to extract sensitive system data, including database credentials, SMTP passwords, and admin credentials due to some dangerous function being allowed.

Proof of Concept

  • Create a user and give him campaigns:get and campaigns:get_all privileges

image

  • Now login with that user, go to any campaign, go the Content section and here lies the vulnerability, we're able to execute template content which allows us to get environment variables, execute Sprig functions...

  • Now in the text field you can input the following and press Preview:

{{ env "AWS_KEY" }}
{{ env "LISTMONK_db__user" }}
{{ env "LISTMONK_db__password" }}

image

Preview:

image

I had the AWS_KEY variable set like that to confirm the vulnerability:

image

Impact

  • Through these environment variables the attacker can access, they can fully compromise the database, cloud accounts, admin credentials, and more depending on what was setup leading to total system takeover and data breach.

Suggested Fix

  • Blacklist some function for templates like env, expandEnv and fail as they can be used to leak environment variables which leads to a full takeover.

References

@knadh knadh published to knadh/listmonk Jun 8, 2025
Published to the GitHub Advisory Database Jun 9, 2025
Reviewed Jun 9, 2025
Published by the National Vulnerability Database Jun 9, 2025
Last updated Jun 9, 2025

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

CVE ID

CVE-2025-49136

GHSA ID

GHSA-jc7g-x28f-3v3h

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.