9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49136

GHSA ID

GHSA-jc7g-x28f-3v3h

EPSS Score

0.0754%

CWE

Published

6/9/2025

Updated

6/9/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49136

CVE-2025-49136: listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user

Summary

The env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables.

Upgrade to v5.0.2 to mitigate.

Demonstration

Description

A critical template injection vulnerability exists in Listmonk's campaign preview functionality that allows authenticated users with minimal privileges (campaigns:get & campaigns:get_all) to extract sensitive system data, including database credentials, SMTP passwords, and admin credentials due to some dangerous function being allowed.

Proof of Concept

Create a user and give him campaigns:get and campaigns:get_all privileges

Now login with that user, go to any campaign, go the Content section and here lies the vulnerability, we're able to execute template content which allows us to get environment variables, execute Sprig functions...
Now in the text field you can input the following and press Preview:

{{ env "AWS_KEY" }}
{{ env "LISTMONK_db__user" }}
{{ env "LISTMONK_db__password" }}

Preview:

I had the AWS_KEY variable set like that to confirm the vulnerability:

Impact

Through these environment variables the attacker can access, they can fully compromise the database, cloud accounts, admin credentials, and more depending on what was setup leading to total system takeover and data breach.

Suggested Fix

Blacklist some function for templates like env, expandEnv and fail as they can be used to leak environment variables which leads to a full takeover.

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49136

GHSA ID

GHSA-jc7g-x28f-3v3h

EPSS Score

0.0754%

CWE

Published

6/9/2025

Updated

6/9/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/knadh/listmonk	go	>= 4.0.0, < 5.0.2	5.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-jc7g-x28f-3v3h) in Listmonk arises from the use of the Sprig template library, which by default includes potentially dangerous functions like env and expandenv. These functions allow access to system environment variables from within templates. The exploit occurs when a low-privilege user with permissions to create or modify campaign content (which uses templates) injects template code like {{ env "SENSITIVE_VAR" }}.

The analysis of the provided patch (commit d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e) shows modifications in two key Go files:

cmd/init.go: The function initTplFuncs was changed to explicitly delete env and expandenv from the sprig.GenericFuncMap() before making these functions available to the template engine.
internal/manager/manager.go: The method (*Manager).makeGnericFuncMap (note: 'Gneric' is likely a typo in the original codebase for 'Generic') underwent the same modification, removing env and expandenv.

These two functions, initTplFuncs and (*Manager).makeGnericFuncMap, were the points in the Listmonk codebase where the vulnerable Sprig functions were being registered for use in templates. By including sprig.GenericFuncMap() in its entirety without filtering, these Listmonk functions inadvertently exposed the env and expandenv functionalities, making the application vulnerable to environment variable disclosure by users who could control template content. The patch mitigates this by ensuring these specific dangerous functions are no longer available to the template engine. Therefore, these two functions are identified as the ones whose previous implementation led to the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** `*nv` *n* `*xp*n**nv` t*mpl*t* *un*tions w*i** is *n**l** *y ****ult in [Spri*](*ttps://m*st*rmin*s.*it*u*.io/spri*/) *n**l*s **pturin* o* *nv v*ri**l*s on *ost. W*il* t*is m*y not ** * pro*l*m on sin*l*-us*r (sup*r **min) inst*ll*tio

Reasoning

T** vuln*r**ility (**S*-j***-x***-*v**) in Listmonk *ris*s *rom t** us* o* t** Spri* t*mpl*t* li*r*ry, w*i** *y ****ult in*lu**s pot*nti*lly **n**rous *un*tions lik* `*nv` *n* `*xp*n**nv`. T**s* *un*tions *llow ****ss to syst*m *nvironm*nt v*ri**l*s

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-49136: listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user

Summary

Demonstration

Description

Proof of Concept

Preview:

Impact

Suggested Fix

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI