jinja2 3.1.3 vulnerabilities

Known vulnerabilities in the jinja2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Template Injection Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Template Injection through the `\|attr` filter. An attacker that controls the content of a template can escape the sandbox and execute arbitrary Python code by using the `\|attr` filter to get a reference to a string's plain format method, bypassing the environment's attribute lookup. Note: This is only exploitable if the application executes untrusted templates. How to fix Template Injection? Upgrade `Jinja2` to version 3.1.6 or higher.	[,3.1.6)
M Improper Neutralization Affected versions of this package are vulnerable to Improper Neutralization when importing a macro in a template whose filename is also a template. This will result in a `SyntaxError: f-string: invalid syntax` error message because the filename is not properly escaped, indicating that it is being treated as a format string. Note: This is only exploitable when the attacker controls both the content and filename of a template and the application executes untrusted templates. How to fix Improper Neutralization? Upgrade `jinja2` to version 3.1.5 or higher.	[,3.1.5)
M Template Injection Affected versions of this package are vulnerable to Template Injection when an attacker controls the content of a template. This is due to an oversight in the sandboxed environment's method detection when using a stored reference to a malicious string's `format` method, which can then be executed through a filter. Note: This is only exploitable through custom filters in an application. How to fix Template Injection? Upgrade `jinja2` to version 3.1.5 or higher.	[,3.1.5)
M Cross-site Scripting (XSS) Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `xmlattr` filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure. Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters. How to fix Cross-site Scripting (XSS)? Upgrade `Jinja2` to version 3.1.4 or higher.	[,3.1.4)

Vulnerability

Vulnerable Version

Template Injection

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Template Injection through the |attr filter. An attacker that controls the content of a template can escape the sandbox and execute arbitrary Python code by using the |attr filter to get a reference to a string's plain format method, bypassing the environment's attribute lookup.

Note:

This is only exploitable if the application executes untrusted templates.

How to fix Template Injection?

Upgrade Jinja2 to version 3.1.6 or higher.

[,3.1.6)

Improper Neutralization

Affected versions of this package are vulnerable to Improper Neutralization when importing a macro in a template whose filename is also a template. This will result in a SyntaxError: f-string: invalid syntax error message because the filename is not properly escaped, indicating that it is being treated as a format string.

Note: This is only exploitable when the attacker controls both the content and filename of a template and the application executes untrusted templates.

How to fix Improper Neutralization?

Upgrade jinja2 to version 3.1.5 or higher.

[,3.1.5)

Template Injection

Affected versions of this package are vulnerable to Template Injection when an attacker controls the content of a template. This is due to an oversight in the sandboxed environment's method detection when using a stored reference to a malicious string's format method, which can then be executed through a filter.

Note: This is only exploitable through custom filters in an application.

How to fix Template Injection?

Upgrade jinja2 to version 3.1.5 or higher.

[,3.1.5)

Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.

Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.4 or higher.

[,3.1.4)

jinja2@3.1.3 vulnerabilities

A very fast and expressive template engine.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?