AI Threat Alert

CVE-2025-25362: spacy-llm: SSTI allows unauthenticated RCE (CVSS 9.8)

GHSA-793v-gxfp-9q9h CRITICAL PoC AVAILABLE CISA: ATTEND
Published March 5, 2025
CISO Take

Any application using spacy-llm <= 0.7.2 that accepts external input to its template field is fully compromised — no authentication required. Upgrade to 0.7.3 immediately; this is a drop-in patch with no breaking changes. Audit every service in your AI/NLP stack that uses spacy-llm and assume breach if template fields were exposed to untrusted input.

What is the risk?

CVSS 9.8 with AV:N/AC:L/PR:N/UI:N represents worst-case exploitability — no authentication, no user interaction, low complexity, full CIA impact. EPSS of 0.00453 reflects low observed exploitation at time of scoring, but a detailed public PoC blog was published on April 1, 2025, substantially lowering the bar for exploitation. AI/ML workloads typically run with broad filesystem and network access, making post-exploitation impact significantly higher than a standard application RCE.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
spaCy pip <= 0.7.2 0.7.3
33.7K OpenSSF 5.4 143 dependents Pushed 1mo ago 100% patched ~23d to patch Full package profile →

Do you use spaCy? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 49% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade spacy-llm to 0.7.3 — the fix is available in the referenced commit (8bde049). No API changes required.

  2. WORKAROUND (if patching is blocked): Treat the template field as untrusted input — strip or reject any Jinja2/template syntax characters ({%, {{, }}) before passing data to spacy-llm.

  3. AUDIT

    Search codebases for uses of spacy-llm's template parameter accepting request body data, file contents, or any externally-sourced strings.

  4. DETECT

    Monitor for anomalous process spawning from Python interpreters running spaCy — unexpected subprocesses, outbound connections from ML worker nodes, or unusual file access patterns.

  5. CONTAIN

    If exposure is confirmed, rotate all credentials accessible to the compromised process (LLM API keys, DB credentials, cloud IAM tokens).

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework AML.T0010.001 AML.T0025 AML.T0049 AML.T0050

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - AI System Security Controls — Dependency Management
NIST AI RMF
GOVERN 6.1 - Policies for Third-Party AI Risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-25362?

Any application using spacy-llm <= 0.7.2 that accepts external input to its template field is fully compromised — no authentication required. Upgrade to 0.7.3 immediately; this is a drop-in patch with no breaking changes. Audit every service in your AI/NLP stack that uses spacy-llm and assume breach if template fields were exposed to untrusted input.

Is CVE-2025-25362 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-25362, increasing the risk of exploitation.

How to fix CVE-2025-25362?

1. PATCH: Upgrade spacy-llm to 0.7.3 — the fix is available in the referenced commit (8bde049). No API changes required. 2. WORKAROUND (if patching is blocked): Treat the template field as untrusted input — strip or reject any Jinja2/template syntax characters ({%, {{, }}) before passing data to spacy-llm. 3. AUDIT: Search codebases for uses of spacy-llm's template parameter accepting request body data, file contents, or any externally-sourced strings. 4. DETECT: Monitor for anomalous process spawning from Python interpreters running spaCy — unexpected subprocesses, outbound connections from ML worker nodes, or unusual file access patterns. 5. CONTAIN: If exposure is confirmed, rotate all credentials accessible to the compromised process (LLM API keys, DB credentials, cloud IAM tokens).

What systems are affected by CVE-2025-25362?

This vulnerability affects the following AI/ML architecture patterns: NLP preprocessing pipelines, RAG ingestion pipelines, document processing APIs, LLM integration frameworks, agent frameworks with NLP components.

What is the CVSS score for CVE-2025-25362?

CVE-2025-25362 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.73%.

What is the AI security impact?

Affected AI Architectures

NLP preprocessing pipelinesRAG ingestion pipelinesdocument processing APIsLLM integration frameworksagent frameworks with NLP components

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

Exploitation Scenario

An adversary targeting an organization running a document analysis API backed by spacy-llm submits a crafted document or API request with a payload such as {{ ''.__class__.__mro__[1].__subclasses__()[X].__init__.__globals__['os'].popen('id').read() }} injected into a field that is forwarded to spacy-llm's template processor. The template engine evaluates the payload server-side, executing arbitrary OS commands under the Python process identity. The attacker pivots to exfiltrate LLM API keys stored in environment variables, dumps model artifacts from disk, and establishes a reverse shell into the ML infrastructure — all without any valid credentials.

Weaknesses (CWE)

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine: The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

  • [Architecture and Design] Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
  • [Implementation] Use the template engine's sandbox or restricted mode, if available.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 5, 2025
Last Modified
April 2, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed