CVE-2025-53833 (CVSS 10): Critical SSTI Flaw in LaRecipe Threatens Millions of Laravel Apps
Do Son 
A newly discovered Server-Side Template Injection (SSTI) vulnerability in the widely-used LaRecipe documentation tool has been assigned CVE-2025-53833 and scored a perfect 10.0 CVSS, indicating critical risk. This security flaw can lead to Remote Code Execution (RCE), potentially allowing attackers to take full control of servers running the affected version of LaRecipe.
With over 2.3 million downloads, LaRecipe is a favorite among Laravel developers for building in-app documentation. However, its popularity may now make it a prime target for exploitation.
βA critical vulnerability was discovered in LaRecipe that allows an attacker to perform Server-Side Template Injection (SSTI), potentially leading to Remote Code Execution (RCE) in vulnerable configurations,β the advisory warns.
LaRecipe is a code-driven Laravel package that enables developers to easily build and manage beautiful documentation directly within their applications. It integrates seamlessly into Laravelβs ecosystem and supports markdown-based authoring, version control, and theme customization.
But like many tools that interact dynamically with user input, LaRecipe’s rendering engine is susceptible to exploitation if proper sanitization is not enforced.
At the heart of CVE-2025-53833 lies an SSTI vulnerabilityβmeaning attackers can inject arbitrary code into LaRecipeβs server-side templates. Once rendered, this code can be executed with the same privileges as the application itself.
Depending on the configuration of the target server, attackers may be able to:
- Execute arbitrary commands on the server
- Access sensitive .env variables, such as database credentials and API keys
- Escalate privileges, potentially gaining root or administrative access
This poses a severe risk for production environments, especially if LaRecipe is publicly exposed or embedded in customer-facing platforms.
Developers and DevOps teams are strongly advised to upgrade to LaRecipe v2.8.1 or later, which contains the necessary fix to eliminate this SSTI vulnerability.
Related Posts:
- Grav CMS Remote Code Execution Vulnerability
- Laravel Framework Hit by Data Exposure Vulnerability (CVE-2024-29291) – Database Credentials at Risk
- CVE-2024-55661: RCE Vulnerability Discovered in Laravel Pulse Monitoring Tool
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
