CVE-2025-34300 Overview
CVE-2025-34300 is a server-side template injection vulnerability in Sawtooth Software's Lighthouse Studio, affecting versions prior to 9.16.14. The flaw resides in the ciwweb.pl Perl web application used to host survey content. An unauthenticated remote attacker can inject template directives that the application evaluates on the server, resulting in arbitrary command execution. The vulnerability is tracked under CWE-20: Improper Input Validation and carries a CVSS 4.0 base score of 10.0.
Critical Impact
Unauthenticated attackers can execute arbitrary operating system commands on hosts running vulnerable ciwweb.pl deployments, leading to full server compromise.
Affected Products
- Sawtooth Software Lighthouse Studio versions prior to 9.16.14
- The ciwweb.pl Perl web application bundled with Lighthouse Studio
- Web-hosted Lighthouse Studio survey deployments (CiW/Sawtooth web survey runtime)
Discovery Timeline
- 2025-07-16 - CVE-2025-34300 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-34300
Vulnerability Analysis
Lighthouse Studio is a widely deployed survey authoring product, and the web-hosted runtime is served by the ciwweb.pl Perl CGI application. The application processes user-supplied request parameters and passes them into a templating layer without adequate sanitization. Because the templating engine evaluates expressions server-side, attacker-controlled input is treated as template syntax rather than as inert data. This produces a classic Server-Side Template Injection (SSTI) condition that escalates directly to operating system command execution because the template context exposes Perl evaluation primitives.
The vulnerability is reachable across the network with no authentication, no user interaction, and low complexity. According to research published by SLCyber and the VulnCheck advisory, exploitation yields code execution as the user account hosting the survey runtime.
Root Cause
The root cause is improper input validation [CWE-20] in ciwweb.pl. User-controlled request data is concatenated into or interpolated through a template construct that supports embedded code evaluation. The application does not constrain the parameter to a safe character set, escape templating metacharacters, or sandbox the template rendering context. As a result, any client that can reach the survey endpoint can introduce template syntax that the Perl interpreter executes.
Attack Vector
An attacker sends a crafted HTTP request to a Lighthouse Studio survey endpoint served by ciwweb.pl. The request contains template directives in a parameter that flows into the vulnerable render path. The server evaluates the directive and returns the result, or executes side-effecting commands such as spawning a shell, writing a webshell, or initiating outbound network connections. Because the path is pre-authentication, attackers can mass-scan internet-exposed survey hosts and chain the primitive into persistence or lateral movement. The EPSS score of 71.1% indicates a high probability of in-the-wild exploitation activity.
No verified public exploit code is referenced in the enriched data. Refer to the VulnCheck advisory for exploitation specifics.
Detection Methods for CVE-2025-34300
Indicators of Compromise
- HTTP requests to URLs containing ciwweb.pl with parameters that include template metacharacters such as [%, %], ${, or Perl evaluation tokens.
- Unexpected child processes of the Perl interpreter or web server user, including sh, bash, cmd.exe, powershell.exe, curl, wget, or nc.
- New or modified files in survey web roots, particularly script files with recent timestamps that were not deployed by administrators.
- Outbound network connections from the survey host to unknown IP addresses shortly after inbound HTTP traffic to ciwweb.pl.
Detection Strategies
- Inspect web server access logs for requests to ciwweb.pl containing encoded template syntax or unusually long query strings.
- Hunt for process lineage where perl.exe or httpd/IIS worker processes spawn command shells or download utilities.
- Correlate Lighthouse Studio version data from asset inventory against the fixed version 9.16.14 to identify vulnerable hosts.
Monitoring Recommendations
- Enable verbose request logging on web servers fronting Lighthouse Studio and forward to a centralized SIEM or data lake for retention and analytics.
- Alert on any process execution by the survey runtime account that is not part of the documented Lighthouse Studio process tree.
- Monitor egress traffic from survey hosts and baseline expected destinations to detect reverse shells and tool downloads.
How to Mitigate CVE-2025-34300
Immediate Actions Required
- Upgrade Sawtooth Software Lighthouse Studio to version 9.16.14 or later on every host running ciwweb.pl.
- Restrict network access to survey servers using firewall rules or a reverse proxy with allow-lists until patching is complete.
- Review web and system logs for indicators of prior exploitation, and rotate credentials stored on or accessible from the host if compromise is suspected.
- Validate the integrity of survey web roots and remove any unauthorized scripts or scheduled tasks.
Patch Information
Sawtooth Software has released Lighthouse Studio 9.16.14, which remediates the template injection in ciwweb.pl. Download details and release notes are available on the Sawtooth Software Version History page. After upgrading, redeploy any active surveys so they execute against the patched runtime.
Workarounds
- Take internet-exposed ciwweb.pl endpoints offline until the upgrade to 9.16.14 is completed.
- Place the survey host behind a web application firewall (WAF) with rules that block template metacharacters in query and body parameters targeting ciwweb.pl.
- Run the Perl CGI process under a least-privileged service account that cannot write to web roots or spawn shells, reducing exploitation impact.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
