VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 23, 2024· Updated Nov 3, 2025

Jinja has a sandbox breakout through indirect reference to format method

CVE-2024-56326

Description

Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An attacker controlling template content can exploit an oversight in Jinja's sandbox to execute arbitrary Python code via indirect str.format calls, fixed in 3.1.5.

Overview

CVE-2024-56326 is a sandbox escape vulnerability in Jinja, an extensible Python templating engine, affecting versions prior to 3.1.5. The core issue is an oversight in how the sandboxed environment detects calls to str.format [1]. Although the sandbox correctly intercepts direct calls to str.format, an attacker can bypass this restriction by storing a reference to a malicious string's format method and then passing that reference to a filter that invokes it [1]. No built-in Jinja filters perform such a call, but the vulnerability becomes exploitable if the application uses any custom filter that calls its argument [1].

Exploitation

To exploit this vulnerability, an attacker must control the content of a template [1]. This condition is met in applications that execute untrusted templates, for example, those that allow user-submitted templates or template fragments [1]. The attack does not require any particular network position beyond the ability to provide template content, and no prior authentication is specified as a barrier [1]. The exploitation chain depends on the presence of a custom filter that calls the passed object, which then invokes the stored format method, leading to arbitrary code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary Python code within the context of the Jinja environment [1]. This can lead to full compromise of the application server, including data theft, modification, or denial of service, depending on the privileges of the running process [1].

Mitigation

The vulnerability is fixed in Jinja version 3.1.5 [1]. Users should upgrade immediately. Applications that cannot upgrade should avoid executing untrusted templates or review custom filters to ensure they do not inadvertently call methods obtained from template-provided objects [1].

References
  1. NVD - CVE-2024-56326

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jinja2PyPI
< 3.1.53.1.5

Affected products

160

Patches

1
48b0687e05a5

Merge commit from fork

https://github.com/pallets/jinjaDavid LordDec 19, 2024via ghsa
commit
3 files changed · +63 38
  • CHANGES.rst+3 0 modified
    @@ -5,6 +5,9 @@ Version 3.1.5
 
 Unreleased
 
+-   The sandboxed environment handles indirect calls to ``str.format``, such as
+    by passing a stored reference to a filter that calls its argument.
+    :ghsa:`q2x7-8rv6-6q7h`
 -   Sandbox does not allow ``clear`` and ``pop`` on known mutable sequence
     types. :issue:`2032`
 -   Calling sync ``render`` for an async template uses ``asyncio.run``.
  • src/jinja2/sandbox.py+43 38 modified
    @@ -8,6 +8,7 @@
 from _string import formatter_field_name_split  # type: ignore
 from collections import abc
 from collections import deque
+from functools import update_wrapper
 from string import Formatter
 
 from markupsafe import EscapeFormatter
@@ -83,20 +84,6 @@
 )
 
 
-def inspect_format_method(callable: t.Callable[..., t.Any]) -> t.Optional[str]:
-    if not isinstance(
-        callable, (types.MethodType, types.BuiltinMethodType)
-    ) or callable.__name__ not in ("format", "format_map"):
-        return None
-
-    obj = callable.__self__
-
-    if isinstance(obj, str):
-        return obj
-
-    return None
-
-
 def safe_range(*args: int) -> range:
     """A range that can't generate ranges with a length of more than
     MAX_RANGE items.
@@ -316,6 +303,9 @@ def getitem(
                     except AttributeError:
                         pass
                     else:
+                        fmt = self.wrap_str_format(value)
+                        if fmt is not None:
+                            return fmt
                         if self.is_safe_attribute(obj, argument, value):
                             return value
                         return self.unsafe_undefined(obj, argument)
@@ -333,6 +323,9 @@ def getattr(self, obj: t.Any, attribute: str) -> t.Union[t.Any, Undefined]:
             except (TypeError, LookupError):
                 pass
         else:
+            fmt = self.wrap_str_format(value)
+            if fmt is not None:
+                return fmt
             if self.is_safe_attribute(obj, attribute, value):
                 return value
             return self.unsafe_undefined(obj, attribute)
@@ -348,34 +341,49 @@ def unsafe_undefined(self, obj: t.Any, attribute: str) -> Undefined:
             exc=SecurityError,
         )
 
-    def format_string(
-        self,
-        s: str,
-        args: t.Tuple[t.Any, ...],
-        kwargs: t.Dict[str, t.Any],
-        format_func: t.Optional[t.Callable[..., t.Any]] = None,
-    ) -> str:
-        """If a format call is detected, then this is routed through this
-        method so that our safety sandbox can be used for it.
+    def wrap_str_format(self, value: t.Any) -> t.Optional[t.Callable[..., str]]:
+        """If the given value is a ``str.format`` or ``str.format_map`` method,
+        return a new function than handles sandboxing. This is done at access
+        rather than in :meth:`call`, so that calls made without ``call`` are
+        also sandboxed.
         """
+        if not isinstance(
+            value, (types.MethodType, types.BuiltinMethodType)
+        ) or value.__name__ not in ("format", "format_map"):
+            return None
+
+        f_self: t.Any = value.__self__
+
+        if not isinstance(f_self, str):
+            return None
+
+        str_type: t.Type[str] = type(f_self)
+        is_format_map = value.__name__ == "format_map"
         formatter: SandboxedFormatter
-        if isinstance(s, Markup):
-            formatter = SandboxedEscapeFormatter(self, escape=s.escape)
+
+        if isinstance(f_self, Markup):
+            formatter = SandboxedEscapeFormatter(self, escape=f_self.escape)
         else:
             formatter = SandboxedFormatter(self)
 
-        if format_func is not None and format_func.__name__ == "format_map":
-            if len(args) != 1 or kwargs:
-                raise TypeError(
-                    "format_map() takes exactly one argument"
-                    f" {len(args) + (kwargs is not None)} given"
-                )
+        vformat = formatter.vformat
+
+        def wrapper(*args: t.Any, **kwargs: t.Any) -> str:
+            if is_format_map:
+                if kwargs:
+                    raise TypeError("format_map() takes no keyword arguments")
+
+                if len(args) != 1:
+                    raise TypeError(
+                        f"format_map() takes exactly one argument ({len(args)} given)"
+                    )
+
+                kwargs = args[0]
+                args = ()
 
-            kwargs = args[0]
-            args = ()
+            return str_type(vformat(f_self, args, kwargs))
 
-        rv = formatter.vformat(s, args, kwargs)
-        return type(s)(rv)
+        return update_wrapper(wrapper, value)
 
     def call(
         __self,  # noqa: B902
@@ -385,9 +393,6 @@ def call(
         **kwargs: t.Any,
     ) -> t.Any:
         """Call an object from sandboxed code."""
-        fmt = inspect_format_method(__obj)
-        if fmt is not None:
-            return __self.format_string(fmt, args, kwargs, __obj)
 
         # the double prefixes are to avoid double keyword argument
         # errors when proxying the call.
  • tests/test_security.py+17 0 modified
    @@ -173,3 +173,20 @@ def test_safe_format_all_okay(self):
             '{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}'
         )
         assert t.render() == "a42b&lt;foo&gt;"
+
+    def test_indirect_call(self):
+        def run(value, arg):
+            return value.run(arg)
+
+        env = SandboxedEnvironment()
+        env.filters["run"] = run
+        t = env.from_string(
+            """{% set
+                ns = namespace(run="{0.__call__.__builtins__[__import__]}".format)
+            %}
+            {{ ns | run(not_here) }}
+            """
+        )
+
+        with pytest.raises(SecurityError):
+            t.render()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.