jinja2 2.10.1 vulnerabilities

Known vulnerabilities in the jinja2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Template Injection Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Template Injection through the `\|attr` filter. An attacker that controls the content of a template can escape the sandbox and execute arbitrary Python code by using the `\|attr` filter to get a reference to a string's plain format method, bypassing the environment's attribute lookup. Note: This is only exploitable if the application executes untrusted templates. How to fix Template Injection? Upgrade `Jinja2` to version 3.1.6 or higher.	[,3.1.6)
M Improper Neutralization Affected versions of this package are vulnerable to Improper Neutralization when importing a macro in a template whose filename is also a template. This will result in a `SyntaxError: f-string: invalid syntax` error message because the filename is not properly escaped, indicating that it is being treated as a format string. Note: This is only exploitable when the attacker controls both the content and filename of a template and the application executes untrusted templates. How to fix Improper Neutralization? Upgrade `jinja2` to version 3.1.5 or higher.	[,3.1.5)
M Template Injection Affected versions of this package are vulnerable to Template Injection when an attacker controls the content of a template. This is due to an oversight in the sandboxed environment's method detection when using a stored reference to a malicious string's `format` method, which can then be executed through a filter. Note: This is only exploitable through custom filters in an application. How to fix Template Injection? Upgrade `jinja2` to version 3.1.5 or higher.	[,3.1.5)
M Cross-site Scripting (XSS) Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `xmlattr` filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure. Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters. How to fix Cross-site Scripting (XSS)? Upgrade `Jinja2` to version 3.1.4 or higher.	[,3.1.4)
M Cross-site Scripting (XSS) Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `xmlattr` filter, when using keys containing spaces in an application accepts keys as user input. An attacker can inject arbitrary HTML attributes into the rendered HTML template, bypassing the auto-escaping mechanism, which may lead to the execution of untrusted scripts in the context of the user's browser session. Note Accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix. How to fix Cross-site Scripting (XSS)? Upgrade `Jinja2` to version 3.1.3 or higher.	[,3.1.3)
M Regular Expression Denial of Service (ReDoS) Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by using Markdown to format user content instead of the urlize filter, or by implementing request timeouts or limiting process memory. PoC by Yeting Li `from jinja2.utils import urlize from time import perf_counter for i in range(3): text = "abc@" + "." * (i+1)*5000 + "!" LEN = len(text) BEGIN = perf_counter() urlize(text) DURATION = perf_counter() - BEGIN print(f"{LEN}: took {DURATION} seconds!")` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `Jinja2` to version 2.11.3 or higher.	[,2.11.3)

Vulnerability

Vulnerable Version

Template Injection

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Template Injection through the |attr filter. An attacker that controls the content of a template can escape the sandbox and execute arbitrary Python code by using the |attr filter to get a reference to a string's plain format method, bypassing the environment's attribute lookup.

Note:

This is only exploitable if the application executes untrusted templates.

How to fix Template Injection?

Upgrade Jinja2 to version 3.1.6 or higher.

[,3.1.6)

Improper Neutralization

Affected versions of this package are vulnerable to Improper Neutralization when importing a macro in a template whose filename is also a template. This will result in a SyntaxError: f-string: invalid syntax error message because the filename is not properly escaped, indicating that it is being treated as a format string.

Note: This is only exploitable when the attacker controls both the content and filename of a template and the application executes untrusted templates.

How to fix Improper Neutralization?

Upgrade jinja2 to version 3.1.5 or higher.

[,3.1.5)

Template Injection

Affected versions of this package are vulnerable to Template Injection when an attacker controls the content of a template. This is due to an oversight in the sandboxed environment's method detection when using a stored reference to a malicious string's format method, which can then be executed through a filter.

Note: This is only exploitable through custom filters in an application.

How to fix Template Injection?

Upgrade jinja2 to version 3.1.5 or higher.

[,3.1.5)

Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.

Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.4 or higher.

[,3.1.4)

Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the xmlattr filter, when using keys containing spaces in an application accepts keys as user input. An attacker can inject arbitrary HTML attributes into the rendered HTML template, bypassing the auto-escaping mechanism, which may lead to the execution of untrusted scripts in the context of the user's browser session.

Note Accepting keys as user input is not common or a particularly intended use case of the xmlattr filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.3 or higher.

[,3.1.3)

Regular Expression Denial of Service (ReDoS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation.

This issue can be mitigated by using Markdown to format user content instead of the urlize filter, or by implementing request timeouts or limiting process memory.

PoC by Yeting Li

from jinja2.utils import urlize
from time import perf_counter

for i in range(3):
    text = "abc@" + "." * (i+1)*5000 + "!"
    LEN = len(text)
    BEGIN = perf_counter()
    urlize(text)
    DURATION = perf_counter() - BEGIN
    print(f"{LEN}: took {DURATION} seconds!")

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade Jinja2 to version 2.11.3 or higher.

[,2.11.3)

jinja2@2.10.1 vulnerabilities

A very fast and expressive template engine.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

PoC by Yeting Li