jinja2@2.5.2 vulnerabilities

A very fast and expressive template engine.

Direct Vulnerabilities

Known vulnerabilities in the jinja2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.

Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.4 or higher.

[,3.1.4)
  • M
Cross-site Scripting (XSS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the xmlattr filter, when using keys containing spaces in an application accepts keys as user input. An attacker can inject arbitrary HTML attributes into the rendered HTML template, bypassing the auto-escaping mechanism, which may lead to the execution of untrusted scripts in the context of the user's browser session.

Note Accepting keys as user input is not common or a particularly intended use case of the xmlattr filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

How to fix Cross-site Scripting (XSS)?

Upgrade Jinja2 to version 3.1.3 or higher.

[,3.1.3)
  • M
Regular Expression Denial of Service (ReDoS)

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation.

This issue can be mitigated by using Markdown to format user content instead of the urlize filter, or by implementing request timeouts or limiting process memory.

PoC by Yeting Li

from jinja2.utils import urlize
from time import perf_counter

for i in range(3):
    text = "abc@" + "." * (i+1)*5000 + "!"
    LEN = len(text)
    BEGIN = perf_counter()
    urlize(text)
    DURATION = perf_counter() - BEGIN
    print(f"{LEN}: took {DURATION} seconds!")

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade Jinja2 to version 2.11.3 or higher.

[,2.11.3)
  • H
Sandbox Bypass

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Sandbox Bypass. Users were allowed to insert str.format through web templates, leading to an escape from sandbox.

How to fix Sandbox Bypass?

Upgrade Jinja2 to version 2.8.1 or higher.

[2.5,2.8.1)
  • M
Sandbox Escape

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Sandbox Escape via the str.format_map. This vulnerability requires the attacker to have information about sensitive attributes, and exploiting it could allow the attacker to access sensitive content.

How to fix Sandbox Escape?

Upgrade Jinja2 to version 2.10.1 or higher.

[,2.10.1)
  • M
Privilege Escalation

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Privilege Escalation due to not properly creating temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's UID.

NOTE: This vulnerability exists because of an incomplete fix for CVE-2014-1402.

How to fix Privilege Escalation?

Upgrade Jinja2 to version 2.7.2 or higher.

[,2.7.2)
  • M
Insecure Defaults

Jinja2 is a small but fast and easy to use stand-alone template engine written in pure python.

Affected versions of this package are vulnerable to Insecure Defaults attacks. The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with jinja2 in /tmp.

How to fix Insecure Defaults?

Upgrade to version 2.7.2 or greater.

[,2.7.2)