CVE-2022-39365 - Pimcore Twig Template Injection – Exploit & Patch Guide

Summary:  
Pimcore, a widely used open-source data and experience management platform, was discovered to contain a serious security vulnerability. In versions before 10.5.9, user-controlled data could be directly rendered as Twig templates inside the Pimcore/Mail and ClassDefinition\Layout\Text components. This flaw, tracked as CVE-2022-39365, enables attackers to inject and execute arbitrary code on the server – a classic Server-Side Template Injection (SSTI). In this post, we’ll demystify how the exploit works, investigate the vulnerable code, demonstrate an example exploit, and show you how to patch your instance.

1. Understanding the Vulnerability

Pimcore lets users define email templates and custom layouts using Twig – a popular templating language. Unfortunately, before version 10.5.9, there wasn’t sufficient sanitization or validation of untrusted input before rendering it with Twig. This opens the door for attackers: supplying malicious Twig tags could trigger execution of arbitrary PHP expressions.

The typical vulnerable pattern looks like this

$twig = new \Twig\Environment($loader);
$output = $twig->render($userSuppliedTemplate, $data);

If $userSuppliedTemplate is not cleaned, an attacker could inject Twig code like: {% do system('id') %} (with the right "dangerous" Twig extensions enabled).

2. How Does Exploitation Work?

If an attacker can control email template content or any value rendered by the Layout\Text component, they can supply Twig syntax that, when rendered, causes the backend to execute system commands or extract sensitive data.

Minimal Exploit Example

Suppose the attacker can set or inject the following Twig template into email content or a text layout:

{{ ['id','','-u']|join(' ')|system }}

When this gets rendered by Twig and if dangerous extensions are present, it executes the id -u command on the server. The result may be returned, logged, or sent to the attacker by email.

Proof of Concept Steps

1. Go to a part of the Pimcore admin where you can edit/write template code for emails or text layouts.

3. References and More Reading

- Official GitHub Advisory for CVE-2022-39365
- Explaining Server-Side Template Injection (PortSwigger)
- CVE Details - CVE-2022-39365
- Twig Documentation

Upgrade – The Best Solution

Simply update your Pimcore instance to version 10.5.9 or later.  

composer update pimcore/pimcore

Manual Patch (Workaround)

If you cannot upgrade immediately, you can backport the patch. In the commit fixing the issue, Pimcore developers:

Prevented rendering of user-controlled templates with full Twig context.

Core Idea:  
Only allow safe variables, and restrict or remove dangerous Twig functions (like system, exec, eval, etc).

Example Patch Snippet

Find where the Twig environment is created (e.g. in Mail.php).

Replace or add

$twig = new \Twig\Environment($loader, [
    // disable autoescape if not needed
    'autoescape' => 'html',
]);

// REMOVE or RESTRICT dangerous functions or extensions!
$twig->disableExtension('Twig\Extension\SandboxExtension');
$twig->removeFunction('system');
$twig->removeFunction('exec');

5. Security Tips Going Forward

- Never render user-supplied or untrusted data as code/templates.
- Restrict which Twig functions/extensions are enabled.

6. Conclusion

CVE-2022-39365 is a dangerous bug that could allow total server compromise for vulnerable Pimcore installations. If you manage Pimcore sites, apply the update to 10.5.9 immediately or patch manually. This is a textbook example of why functions that render code, even simple templates, should never take untrusted input.


*Stay safe. Patch promptly. Audit your template rendering code.*

Timeline

Published on: 10/27/2022 15:15:00 UTC
Last modified on: 10/31/2022 14:13:00 UTC