6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-6518

GHSA ID

GHSA-8gff-cf92-72pv

EPSS Score

0.19388%

CWE

CWE-791

Published

6/23/2025

Updated

6/25/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-6518

CVE-2025-6518: pyspur Incomplete Filtering of Special Elements allowed by SingleLLMCallNode function

A vulnerability was found in PySpur-Dev pyspur up to 0.1.18. It has been classified as critical. Affected is the function SingleLLMCallNode of the file backend/pyspur/nodes/llm/single_llm_call.py of the component Jinja2 Template Handler. The manipulation of the argument user_message leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-6518

GHSA ID

GHSA-8gff-cf92-72pv

EPSS Score

0.19388%

CWE

CWE-791

Published

6/23/2025

Updated

6/25/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pyspur	pip	<= 0.1.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the run method of the SingleLLMCallNode class, located in backend/pyspur/nodes/llm/single_llm_call.py. The method directly uses the user_message from the node's configuration to render a Jinja2 template without any prior sanitization or validation. This allows an attacker to inject arbitrary template code. The GitHub issue #289 provides a clear analysis and a Proof-of-Concept (POC) that confirms the vulnerability. The POC shows how a specially crafted user_message can be used to execute arbitrary commands on the server by accessing Python's object hierarchy through the template. The root cause is the lack of input sanitization on the user_message before it is passed to the Jinja2 Template constructor and rendered. This allows for a classic Server-Side Template Injection (SSTI) attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in PySpur-**v pyspur up to *.*.**. It **s ***n *l*ssi*i** *s *riti**l. *****t** is t** *un*tion Sin*l*LLM**llNo** o* t** *il* ***k*n*/pyspur/no**s/llm/sin*l*_llm_**ll.py o* t** *ompon*nt Jinj** T*mpl*t* **n*l*r. T** m*nipul*

Reasoning

T** vuln*r**ility *xists in t** `run` m*t*o* o* t** `Sin*l*LLM**llNo**` *l*ss, lo**t** in `***k*n*/pyspur/no**s/llm/sin*l*_llm_**ll.py`. T** m*t*o* *ir**tly us*s t** `us*r_m*ss***` *rom t** no**'s *on*i*ur*tion to r*n**r * Jinj** t*mpl*t* wit*out *ny

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-6518: pyspur Incomplete Filtering of Special Elements allowed by SingleLLMCallNode function

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI