VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 23, 2024· Updated Feb 18, 2025

Jinja has a sandbox breakout through malicious filenames

CVE-2024-56201

Description

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A bug in Jinja compiler prior to 3.1.5 allows arbitrary Python code execution if attacker controls both template filename and content, bypassing sandbox.

Vulnerability

Overview A bug in the Jinja compiler (versions 3.x before 3.1.5) allows an attacker who controls both the filename and content of a template to execute arbitrary Python code. This occurs regardless of whether Jinja's sandbox is enabled, as the compiler incorrectly processes filename inputs leading to code injection [1].

Exploitation

Conditions Successful exploitation requires the attacker to have control over both the template filename and its content. The specific conditions depend on the application using Jinja—typically applications that execute untrusted templates where the template author can also choose the filename [1].

Impact

An attacker with the required access can execute arbitrary Python code on the server, leading to full compromise of the application and its data [1].

Mitigation

Users should upgrade to Jinja version 3.1.5 or later, which fixes the vulnerability. There is no known workaround for affected versions [1].

References
  1. NVD - CVE-2024-56201

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jinja2PyPI
>= 3.0.0, < 3.1.53.1.5

Affected products

144

Patches

1
767b23617628

fix f-string syntax error in code generation (#1852)

https://github.com/pallets/jinjaDavid LordDec 20, 2024via ghsa
commit
3 files changed · +28 1
  • CHANGES.rst+3 0 modified
    @@ -8,6 +8,9 @@ Unreleased
 -   The sandboxed environment handles indirect calls to ``str.format``, such as
     by passing a stored reference to a filter that calls its argument.
     :ghsa:`q2x7-8rv6-6q7h`
+-   Escape template name before formatting it into error messages, to avoid
+    issues with names that contain f-string syntax.
+    :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
 -   Sandbox does not allow ``clear`` and ``pop`` on known mutable sequence
     types. :issue:`2032`
 -   Calling sync ``render`` for an async template uses ``asyncio.run``.
  • src/jinja2/compiler.py+6 1 modified
    @@ -1141,9 +1141,14 @@ def visit_FromImport(self, node: nodes.FromImport, frame: Frame) -> None:
             )
             self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
             self.indent()
+            # The position will contain the template name, and will be formatted
+            # into a string that will be compiled into an f-string. Curly braces
+            # in the name must be replaced with escapes so that they will not be
+            # executed as part of the f-string.
+            position = self.position(node).replace("{", "{{").replace("}", "}}")
             message = (
                 "the template {included_template.__name__!r}"
-                f" (imported on {self.position(node)})"
+                f" (imported on {position})"
                 f" does not export the requested name {name!r}"
             )
             self.writeline(
  • tests/test_compile.py+19 0 modified
    @@ -1,6 +1,9 @@
 import os
 import re
 
+import pytest
+
+from jinja2 import UndefinedError
 from jinja2.environment import Environment
 from jinja2.loaders import DictLoader
 
@@ -87,3 +90,19 @@ def test_block_set_vars_unpacking_deterministic(tmp_path):
         content,
     )[:10]
     assert found == expect
+
+
+def test_undefined_import_curly_name():
+    env = Environment(
+        loader=DictLoader(
+            {
+                "{bad}": "{% from 'macro' import m %}{{ m() }}",
+                "macro": "",
+            }
+        )
+    )
+
+    # Must not raise `NameError: 'bad' is not defined`, as that would indicate
+    # that `{bad}` is being interpreted as an f-string. It must be escaped.
+    with pytest.raises(UndefinedError):
+        env.get_template("{bad}").render()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.