HubSpot has issued a security advisory regarding a critical flaw in its Jinjava template engine, which powers thousands of websites and processes “hundreds of millions of page views per month on the HubSpot CMS.” The vulnerability, tracked as CVE-2025-59340, carries a CVSS score of 9.8 and allows attackers to bypass Jinjava’s sandbox restrictions, potentially escalating to full remote code execution (RCE).
HubSpot explains: “jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass(), and block instantiation of Class objects. However, these protections can be bypassed.”
By abusing the constructFromCanonical() method of the underlying ObjectMapper, attackers can deserialize input into arbitrary classes. This opens the door to instantiating sensitive objects like java.net.URL, enabling the reading of local files (e.g., /etc/passwd) or launching server-side request forgery (SSRF) attacks.
The advisory warns: “This allows sandbox escape and the creation of powerful primitives. For example, instantiating java.net.URL enables reading arbitrary files… With further chaining, this primitive can potentially lead to remote code execution (RCE).”
A working exploit was demonstrated against Jinjava 2.8.0, where a crafted template could fetch and read sensitive system files using ObjectMapper tricks. This proof-of-concept (PoC) confirms that the vulnerability is not just theoretical but actively exploitable.
The affected and fixed versions:
- Affected: Jinjava versions < 2.8.1
- Patched: 2.8.1
HubSpot has released a patch and urges immediate upgrades. The advisory states: “Escape the Jinjava sandbox and instantiate a wide range of classes using JavaType. This capability can be used to read arbitrary files and to perform full read SSRF… In certain environments… this primitive can even lead to complete remote code execution.”
Jinjava underpins critical rendering operations in HubSpot’s CMS ecosystem. With its widespread use in enterprise and marketing websites, the risk of sandbox escapes leading to data breaches, SSRF exploitation, and system takeover is high.
Organizations running vulnerable versions should prioritize patching, audit their logs for suspicious template executions, and ensure input validation and strict access controls are enforced across their CMS environments.
- Phishing Campaign Targets European Companies with Fake HubSpot and DocuSign Forms
- Malware Masquerade: HubSpot, Veeam, Xero – Carbanak Lures Victims with Trust
- Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
- CVSS 9.8 Flaw in macOS Allows Apps to Access Protected User Data, PoC Available
