CVE-2025-49136 in listmonk
Summary
by MITRE • 06/09/2025
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/09/2025
The vulnerability CVE-2025-49136 affects listmonk, a standalone newsletter and mailing list manager that enables self-hosted deployment scenarios. This security flaw exists in versions 4.0.0 through 5.0.1, where the default configuration includes the Sprig template functions `env` and `expandenv` which are capable of accessing host environment variables. The issue stems from the improper restriction of operations within the template processing engine, creating a path for unauthorized information disclosure.
The technical flaw manifests through the default activation of Sprig template functions that allow template expressions to access operating system environment variables. When non-super-admin users possess campaign or template permissions, they can leverage the `{{ env }}` template expression to extract sensitive environment variables from the host system. This represents a privilege escalation vulnerability where users with limited access can gain unauthorized visibility into system configuration details. The vulnerability aligns with CWE-200, which addresses information exposure through improper restriction of operations, and CWE-732, which covers inadequate protection of system resources.
The operational impact of this vulnerability is significant in multi-user deployments where administrative separation is expected. In single-user installations with super admin access, the risk may be minimal since the user already has full system access. However, in multi-user environments where different permission levels exist, this flaw allows lower-privileged users to extract potentially sensitive information such as database credentials, API keys, or other configuration parameters stored in environment variables. The attack vector is straightforward and requires only basic template editing permissions, making it particularly dangerous in shared hosting or managed environments.
Organizations using listmonk should immediately upgrade to version 5.0.2 to remediate this vulnerability. The upgrade process should include thorough testing of existing templates and campaigns to ensure compatibility with the updated security measures. System administrators should also review user permissions and implement the principle of least privilege to minimize potential impact. Additionally, monitoring for unauthorized template modifications and environment variable access patterns should be implemented as part of ongoing security operations. This vulnerability demonstrates the importance of carefully reviewing default configurations in web applications and the potential risks associated with template engines that provide access to system-level resources. The issue falls under ATT&CK technique T1566, specifically targeting credential access through the exploitation of application vulnerabilities, and T1083, which addresses file and directory discovery through system information gathering.