Remote code execution in Jinja2 template rendering in Nautobot
Description
Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the Jinja2 template engine used internally for template rendering for the following objects: extras.ComputedField, extras.CustomLink, extras.ExportTemplate, extras.Secret, extras.Webhook. While no active exploits of this vulnerability are known this change has been made as a preventative measure to protect against any potential remote code execution attacks utilizing maliciously crafted template code. This change forces the Jinja2 template engine to use a SandboxedEnvironment on all new installations of Nautobot. This addresses any potential unsafe code execution everywhere the helper function nautobot.utilities.utils.render_jinja2 is called. Additionally, the documentation that had previously suggesting the direct use of jinja2.Template has been revised to suggest render_jinja2. Users are advised to upgrade to Nautobot 1.5.7 or newer. For users that are unable to upgrade to the latest release of Nautobot, you may add the following setting to your nautobot_config.py to apply the sandbox environment enforcement: TEMPLATES[1]["OPTIONS"]["environment"] = "jinja2.sandbox.SandboxedEnvironment" After applying this change, you must restart all Nautobot services, including any Celery worker processes. Note: *Nautobot specifies two template engines by default, the first being “django” for the Django built-in template engine, and the second being “jinja” for the Jinja2 template engine. This recommended setting will update the second item in the list of template engines, which is the Jinja2 engine.* For users that are unable to immediately update their configuration such as if a Nautobot service restart is too disruptive to operations, access to provide custom Jinja2 template values may be mitigated using permissions to restrict “change” (write) actions to the affected object types listed in the first section. Note: *This solution is intended to be stopgap until you can successfully update your nautobot_config.py or upgrade your Nautobot instance to apply the sandboxed environment enforcement.*
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nautobot versions prior to 1.5.7 allowed remote code execution via unsandboxed Jinja2 template rendering, now fixed by enabling SandboxedEnvironment.
Vulnerability
Overview
CVE-2023-25657 is a remote code execution vulnerability in Nautobot, a Network Source of Truth and Network Automation Platform, affecting versions before 1.5.7 [1][2]. The root cause is that Nautobot failed to properly sandbox Jinja2 template rendering, allowing potentially malicious template code to execute arbitrary Python commands [2]. The internal helper function nautobot.utilities.utils.render_jinja2 and the direct use of jinja2.Template (as previously documented) did not enforce any restrictions, leaving the server exposed [2].
Exploitation
Prerequisites
Exploitation requires an authenticated user with the ability to provide or modify template content in objects such as extras.ComputedField, extras.CustomLink, extras.ExportTemplate, extras.Secret, or extras.Webhook [2]. No active exploits were known at disclosure, but the vulnerability could be triggered by submitting crafted Jinja2 template code that accesses unsafe attributes or methods [2][3]. The sandbox, as described in the Jinja2 documentation, blocks access to attributes like __code__ and other dangerous patterns [3].
Impact
If successfully exploited, an attacker could achieve remote code execution on the Nautobot server, potentially compromising the entire platform, its database, and any connected automation infrastructure [2]. Since Nautobot serves as a source of truth and automation hub, the blast radius could extend to network devices managed via Nautobot [4].
Mitigation
Nautobot 1.5.7, released on 2023-01-04, mitigates the issue by enabling SandboxedEnvironment for Jinja2 rendering by default on new installations [1][2]. For existing instances that cannot upgrade immediately, administrators can add TEMPLATES[1]["OPTIONS"]["environment"] = "jinja2.sandbox.SandboxedEnvironment" to nautobot_config.py and restart all Nautobot services, including Celery workers [2]. The documentation has also been updated to recommend the safer render_jinja2 helper [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nautobotPyPI | < 1.5.7 | 1.5.7 |
Affected products
2- nautobot/nautobotv5Range: < 1.5.7
Patches
1d47f157e83b0Enforce sandboxed rendering for Jinja2 templates.
3 files changed · +24 −6
nautobot/core/settings.py+1 −0 modified@@ -468,6 +468,7 @@ "nautobot.core.context_processors.settings", "nautobot.core.context_processors.sso_auth", ], + "environment": "jinja2.sandbox.SandboxedEnvironment", }, }, ]
nautobot/docs/models/dcim/deviceredundancygroup.md+4 −4 modified@@ -142,7 +142,7 @@ The following snippet represents an example Cisco ASA failover configuration tem ```python # Configuration Template for Cisco ASA -template_body=""" +template_code = """ {% set redundancy_members = gql_data['data']['devices'][0]['device_redundancy_group']['members'] %} {% set failover_device_local = redundancy_members[0] if redundancy_members[0].name == device else redundancy_members[1] %} {% set failover_device_peer = redundancy_members[0] if redundancy_members[0].name != device else redundancy_members[1] %} @@ -172,15 +172,15 @@ failover Following snippet represents an example Cisco ASA Failover rendered configuration: ```python -from jinja2 import Template +from nautobot.utilities.utils import render_jinja2 -tm=Template(template_body) -nyc_fw_primary_config = tm.render( +context = dict( device=hostname, gql_data=gql_data, priority_mapping={50: 'secondary', 100: 'primary'} ) +nyc_fw_primary_config = render_jinja2(template_code=template_code, context=context) print(nyc_fw_primary_config) ```
nautobot/utilities/tests/test_jinja_filters.py+19 −2 modified@@ -1,9 +1,9 @@ from django.test import TestCase -from jinja2.exceptions import TemplateAssertionError - +from jinja2.exceptions import SecurityError, TemplateAssertionError from netutils.utils import jinja2_convenience_function from nautobot.utilities.utils import render_jinja2 +from nautobot.dcim.models import Site class NautobotJinjaFilterTest(TestCase): @@ -64,3 +64,20 @@ def test_netutils_filters_in_jinja(self): raise except Exception: pass + + def test_sandboxed_render(self): + """Assert that Jinja template rendering is sandboxed.""" + template_code = "{{ ''.__class__.__name__ }}" + with self.assertRaises(SecurityError): + render_jinja2(template_code=template_code, context={}) + + def test_safe_render(self): + """Assert that safe Jinja rendering still works.""" + site = Site.objects.filter(region__isnull=False).first() + template_code = "{{ obj.region.name }}" + try: + value = render_jinja2(template_code=template_code, context={"obj": site}) + except SecurityError: + self.fail("SecurityError raised on safe Jinja template render") + else: + self.assertEqual(value, site.region.name)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8mfq-f5wj-vw5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25657ghsaADVISORY
- docs.nautobot.com/projects/core/en/stable/release-notes/version-1.5/ghsaWEB
- github.com/nautobot/nautobot/commit/d47f157e83b0c353bb2b697f911882c71cf90ca0ghsax_refsource_MISCWEB
- github.com/nautobot/nautobot/security/advisories/GHSA-8mfq-f5wj-vw5mghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-37.yamlghsaWEB
- jinja.palletsprojects.com/en/3.0.x/sandbox/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.