VYPR
Moderate severityNVD Advisory· Published Dec 23, 2024· Updated Feb 18, 2025

Jinja has a sandbox breakout through malicious filenames

CVE-2024-56201

Description

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jinja2PyPI
>= 3.0.0, < 3.1.53.1.5

Affected products

143

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.