What is the CVSS score of EUVD-2025-21400?

EUVD-2025-21400 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 16.8%.

Which versions of Laravel are affected by EUVD-2025-21400?

A critical vulnerability in LaRecipe (CVE-2025-53833) allows unauthenticated attackers to execute arbitrary code on affected servers through Server-Side Template Injection.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-21400?

Yes, a public proof-of-concept exploit is available for EUVD-2025-21400. Prioritise patching immediately. EPSS: 16.8%.

How to fix or mitigate EUVD-2025-21400?

Within 24 hours: Identify all systems running LaRecipe and their versions; isolate affected instances from production if possible and assess blast radius. Within 7 days: Implement compensating controls (WAF rules blocking template injection patterns, network segmentation restricting LaRecipe access, or disable documentation features if non-critical). Within 30 days: Upgrade to LaRecipe v2.8.1 or later when available; monitor vendor communications daily for patch release and apply immediately upon availability.

Laravel EUVD-2025-21400

| CVE-2025-53833 CRITICAL

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2025-07-14 security-advisories@github.com

GHSA-jv7x-xhv2-p5v2

RCE Laravel PHP Information Disclosure Code Injection

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21400

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

CVE Published

Jul 14, 2025 - 23:15 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.

AnalysisAI

LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) in vulnerable configurations. The vulnerability allows unauthenticated network attackers to execute arbitrary commands on the server, access sensitive environment variables, and escalate privileges without requiring user interaction or special access. With a perfect CVSS 3.1 score of 10.0 and network-based attack vector, this represents a critical threat to all unpatched LaRecipe installations.

Technical ContextAI

LaRecipe is a Laravel-based documentation application that processes user-supplied Markdown input. The vulnerability stems from improper handling of template expressions in CWE-1336 (Insufficient Neutralization of Special Elements used in a Template Engine), where user-controlled input is passed directly to a template engine without adequate sanitization or escaping. Laravel applications commonly use Blade templating, which can execute arbitrary PHP code if untrusted input reaches the template rendering engine. The vulnerability affects the markdown processing pipeline where attacker-controlled content is not properly isolated before template compilation, allowing injection of template syntax (e.g., {{ }} or {!! !!} delimiters) that execute server-side code. This is particularly dangerous in Laravel environments where template engines have access to the full application context, including service containers and configuration objects.

RemediationAI

Immediate remediation steps: (1) UPGRADE: Update LaRecipe to version 2.8.1 or later immediately. This is the only official patch. Execute: composer update larecipe/larecipe to v2.8.1+; (2) VERIFY: After upgrade, test documentation rendering to ensure no functionality regression; (3) AUDIT: Review server logs (Laravel logs, web server access logs, PHP error logs) for evidence of exploitation attempts or successful attacks, looking for suspicious markdown inputs containing template syntax; (4) CREDENTIAL RESET: If the server was internet-facing during the vulnerable window, rotate all credentials (database passwords, API keys, environment secrets) as they may have been exposed; (5) INTERIM MITIGATIONS (if immediate patching is not possible): Disable LaRecipe routes via firewall/WAF rules, restrict network access to LaRecipe endpoints to trusted IPs only, implement Web Application Firewall (WAF) rules to detect and block template injection patterns in request payloads (e.g., block {{ and {!! patterns in Markdown input). NOTE: Workarounds are NOT reliable substitutes for patching—upgrade is mandatory. Vendor advisory: Check the official LaRecipe GitHub repository (larecipe/larecipe) releases page for patch notes and installation instructions.

EUVD-2025-21400 vulnerability details – vuln.today

Back

Laravel EUVD-2025-21400

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code