What is the HubSpot Jinjava vulnerability CVE-2025-59340?

CVE-2025-59340 is a critical security vulnerability with a CVSS score of 9.8 in HubSpot's Jinjava templating engine. It's a flaw in the sandbox implementation through JavaType-based deserialization that could expose thousands of websites to complete system compromise by allowing attackers to bypass security protections and execute malicious code.

Which versions of Jinjava are affected by CVE-2025-59340?

The vulnerability affects all Jinjava versions prior to 2.8.1. Organizations using any version before 2.8.1 are vulnerable to this critical security flaw.

How can organizations fix the Jinjava vulnerability?

Organizations should immediately upgrade to Jinjava version 2.8.1 or later. Additionally, they should conduct audits of custom template inputs and review any direct or indirect usage of the `____int3rpr3t3r____` variable in their templates.

Was the Jinjava sandbox supposed to prevent this type of attack?

Yes, Jinjava's sandbox was specifically designed to prevent direct access to dangerous methods such as getClass() and block instantiation of Class objects. However, researchers discovered that these security protections can be systematically bypassed through the vulnerability in CVE-2025-59340.

Advisory

Critical vulnerability reported in Jinjava template engine, enables sandbox bypass, remote code execution

Q: What is Jinjava and where is it used?

Jinjava is a Java-based templating engine built on Django template syntax that is extensively used on thousands of websites including marketing pages, customer portals, internal dashboards, content management systems, and web applications connected to HubSpot services.

Q: How does the Jinjava vulnerability work?

The vulnerability exploits a built-in variable called `____int3rpr3t3r____` which provides direct access to the jinjavaInterpreter instance. Attackers can reach the config field and access the underlying ObjectMapper, then invoke the readValue method to deserialize attacker-controlled input into arbitrary Java classes, bypassing the sandbox's security protections.

Q: What can attackers do with the Jinjava vulnerability?

Attackers can achieve complete system compromise through this vulnerability. A proof-of-concept demonstration shows how attackers can read sensitive local files such as /etc/passwd by chaining Jackson's deserialization primitives, and potentially execute arbitrary code on affected systems.

Q: How serious is the Jinjava security vulnerability?

This is a critical vulnerability with a CVSS score of 9.8, indicating extremely high severity. It could expose thousands of websites to complete system compromise, making immediate patching essential for any organization using affected Jinjava versions.

published: Sept. 19, 2025

Take action: If you're using HubSpot's Jinjava templating engine, immediately upgrade to version 2.8.1 or later. There's a public PoC of the exploit and your templating engine is probably on a site that's exposed to the internet. Don't delay!

Learn More

HubSpot is reporting a critical security vulnerability in its Jinjava templating engine that could expose thousands of websites to complete system compromise.

The Jinjava template engine is Java-based and built on Django template syntax and is extensively used on thousands of websites including marketing pages, customer portals, internal dashboards, content management systems, and web applications connected to HubSpot services.

The vulnerability is tracked as CVE-2025-59340 (CVSS score 9.8), is a flaw in the sandbox implementation through JavaType-based deserialization. While Jinjava's sandbox was designed to prevent direct access to dangerous methods such as getClass() and block instantiation of Class objects, researchers discovered that these protections can be systematically bypassed.

The attack uses a built-in variable called ____int3rpr3t3r____ which provides direct access to the jinjavaInterpreter instance. Previous security measures were implemented to restrict call methods from JinjavaInterpreter instances, the vulnerability allows attackers to reach the config field and access the underlying ObjectMapper. By invoking the readValue(String content, JavaType valueType) method on this ObjectMapper, malicious actors can deserialize attacker-controlled input into arbitrary Java classes.

A proof-of-concept demonstration on Jinjava version 2.8.0 shows how attackers can read sensitive local files such as /etc/passwd by chaining Jackson's deserialization primitives.

{% set mapper = ____int3rpr3t3r____.config.objectMapper %}
{{ mapper.enableDefaultTyping() }}
{% set file = mapper.readValue('"file:///etc/passwd"', mapper.getTypeFactory().constructFromCanonical('java.net.URL')) %}
{% set inputStream = file.openStream() %}
{% set bytes = inputStream.readAllBytes() %}
{% set stringType = mapper.getTypeFactory().constructFromCanonical('java.lang.String') %}
{% set content = mapper.convertValue(bytes, stringType) %}
{{ content }}

The vulnerability affects all Jinjava versions prior to 2.8.1.

Organizations should upgrade to Jinjava version 2.8.1 or later, and conduct audits of custom template inputs and review any direct or indirect usage of the ____int3rpr3t3r____ variable.

Critical vulnerability reported in Jinjava template engine, enables sandbox bypass, remote code execution

Read More
Critical vulnerability in GitHub Enterprise Server enables access …
HPE patches multiple flaws in StoreOnce Backup, at …
Vulnerabilities reported in Mobile Security Framework (MobSF)
Microsoft warns ransomware groups exploiting VMware ESXi flaw …
Ubiquiti reports multiple vulnerabilities in Unifi Protect cameras …