Kimai - Open Source time-tracker Kimai
Start for free

Twig function config() leaks secrets via invoice/export templates

  1. Home
  2. Security
  3. Kimai Advisory GHSA-vrqv-52x7-rm4v

Affected versions

  • Kimai versions <= 2.55.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.56.0
  • Severity: Low
  • We have not requested an official CVE ID for this security advisory

Description

The Twig sandbox used for invoice and export HTML/PDF templates lets the config() function read any value from the Kimai system configuration.

A System-Admin (ROLE_SUPER_ADMIN) who uploads a crafted invoice template can therefore render server-wide secrets — such as the LDAP bind password or the SAML SP private key — into the generated invoice. The resulting PDF or HTML is then handed to whoever creates an invoice from that template, including lower-privileged users such as teamleads with invoice permissions.

  • The sandbox issue affects both invoice and export HTML/PDF templates.
  • The practical attack vector is invoice templates: they can be uploaded through the Kimai admin UI with the permission upload_invoice_template, which by default is held only by System-Admin (ROLE_SUPER_ADMIN).
  • Custom export HTML/PDF templates cannot be uploaded through the UI. Reaching the export side requires direct filesystem access to the Kimai installation, which already implies a much stronger attacker position.
  • Secrets become reachable when both conditions are met:
    1. LDAP or SAML is configured in kimai.yaml (or another secret is stored in the system configuration).
    2. A System-Admin with upload_invoice_template acts maliciously and uploads a crafted template.
  • Once the template is in place, every invoice generated from it embeds the leaked configuration into the downloadable PDF or HTML output.
  • Kimai Cloud is not affected because Twig templates have to pass a manual review process.

Solution

The config() function now refuses access to any key under saml. or ldap., regardless of where it is called from.

Inside sandboxed invoice and export templates, config() is further restricted to a fixed allow-list of configuration keys that are safe to expose in generated documents.

Users should update to 2.56.0 or newer.

Credits

  • Reported by: fg0x0
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-vrqv-52x7-rm4v

Top