AI Threat Alert
Published March 5, 2025
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| spacy-llm | pip | <= 0.7.2 | 0.7.3 |
Do you use spacy-llm? You're affected.
Severity & Risk
CVSS 3.1
9.8 / 10
EPSS
0.5%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A
Recommended Action
Patch available
Update spacy-llm to version 0.7.3
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-793v-gxfp-9q9h
- github.com/explosion/spacy-llm/commit/8bde0490cc1e9de9dd2e84480b7b5cd18a94d739
- github.com/explosion/spacy-llm/issues/492
- github.com/explosion/spacy-llm/pull/491
- nvd.nist.gov/vuln/detail/CVE-2025-25362
- hacktivesecurity.com/blog/2025/04/01/cve-2025-25362-old-vulnerabilities-new-victims-breaking-llm-prompts-with-ssti
Timeline
Published
March 5, 2025
Last Modified
April 2, 2025
First Seen
March 24, 2026