Security Patch - February 2025

October 29, 2025

A new vulnerability was uncovered in the Jahia studio.

By exploiting this vulnerability, an authenticated user can use some one of the Jahia studio SCM features (relying on git or svn) to fetch code stored on a remote repository, and by performing a series of specially crafted operations, be capable of executing this code.

When this security patch page was written, no exploits were published for Jahia.

Affected versions

  • All versions of Jahia with the exception of Jahia docker containers

Patched versions

The vulnerability has been addressed in the following versions of Jahia:

  • Jahia 8.2.0.7 and above
  • Jahia 8.1.8.2

With these patched versions, Jahia studio features making use of SCM are only enabled in development mode (disabled in production) and require the user to have the studioModeAccess permission.

We strongly encourage our customers to upgrade to one of these versions as the primary mean of addressing the vulnerability.

Mitigating the vulnerability

The vulnerability can be mitigated by ensuring production environments do not have access to git or svn. These two parameters are only used by the Studio, not other parts of the system will be impacted.

This can be done by modifying two parameters in jahia.properties:


######################################################################
### Source control and Maven executables #############################
######################################################################
# The path to git executable
gitPath = false
# The path to svn executable
svnPath = false

If your Jahia environment is running on MS Windows, replace "false" by a Powershell script doing nothing (for example, containing only exit 1) and point to that script in the jahia.properties file for both gitPath and svnPath

Verifying

You can verify if your environment is affected by the vulnerability by running this groovy script from jahia tools.


import org.jahia.bin.Jahia
import org.jahia.commons.Version
import org.jahia.services.SpringContextSingleton
import org.jahia.services.templates.SourceControlFactory
import org.jahia.settings.SettingsBean

def isInVersionRange = { lowerBound, highbound, jahiaVersion ->
    return new Version(lowerBound).compareTo(new Version(jahiaVersion)) <= 0 && new Version(highbound).compareTo(new Version(jahiaVersion)) >= 0
}

def checkVersion = { version ->
    def requireFixVersions = [["0.0.0.0", "8.1.8.1"], ["8.2.0.0", "8.2.0.6"]]
    log.info("Checking SCM status for version $version")
    def requireFix = false
    def result = "Your instance is OK."
    requireFixVersions.each { requireFixVersion ->
        requireFix |= isInVersionRange(requireFixVersion[0], requireFixVersion[1], version)
    }
    def hasSCM = ((SourceControlFactory) SpringContextSingleton.getBean("SourceControlFactory")).sourceControlExecutables.find { scm, exec -> !"false".equals(exec) } != null
    if (requireFix && hasSCM) {
        if (SettingsBean.getInstance().isDevelopmentMode()) {
            result = "Detected Jahia in development mode with an active SCM configuration. You are recommended to upgrade to a patched version of Jahia."
        } else {
            result = "You are running Jahia in production mode and the mitigation was not detected. You are recommended to apply the mitigation."
        }
    }
    return result
}

log.info(checkVersion(Jahia.VERSION))
Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.