VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 5, 2025· Updated Feb 26, 2026

Jinja sandbox breakout through attr filter selecting format method

CVE-2025-27516

Description

Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jinja before 3.1.6 allows sandbox escape via the |attr filter, enabling arbitrary code execution from an untrusted template.

Vulnerability

CVE-2025-27516 is a sandbox escape in Jinja, a Python templating engine. The flaw arises from an oversight in how the sandboxed environment interacts with the |attr filter. While the sandbox explicitly prevents calls to str.format from escaping, an attacker can use |attr to obtain a reference to a plain string's format method, bypassing the sandbox controls [1][4].

Exploitation

To exploit the vulnerability, an attacker must control the content of a template. This is relevant for applications that render untrusted templates. The |attr filter previously allowed bypassing the environment's attribute lookup, enabling access to Python internals [2][4].

Impact

A successful exploit allows arbitrary Python code execution within the Jinja environment, potentially leading to full server compromise depending on the host application's permissions [4].

Mitigation

The vulnerability is fixed in Jinja version 3.1.6. The patch modifies the do_attr function to use getattr_static and then delegates to environment.getattr, ensuring sandbox attribute lookup restrictions are enforced [2][4].

References
  1. NVD - CVE-2025-27516
  2. Merge commit from fork · pallets/jinja@90457bb
  3. Sandbox breakout through attr filter selecting format method

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Jinja2PyPI
< 3.1.63.1.6

Affected products

67

Patches

1
90457bbf33b8

Merge commit from fork

https://github.com/pallets/jinjaDavid LordMar 5, 2025via ghsa
commit
3 files changed · +30 21
  • CHANGES.rst+4 0 modified
    @@ -5,6 +5,10 @@ Version 3.1.6
 
 Unreleased
 
+-   The ``|attr`` filter does not bypass the environment's attribute lookup,
+    allowing the sandbox to apply its checks. :ghsa:`cpwx-vrp4-4pq7`
+
+
 Version 3.1.5
 -------------
  • src/jinja2/filters.py+16 21 modified
    @@ -6,6 +6,7 @@
 import typing
 import typing as t
 from collections import abc
+from inspect import getattr_static
 from itertools import chain
 from itertools import groupby
 
@@ -1411,31 +1412,25 @@ def do_reverse(value: t.Union[str, t.Iterable[V]]) -> t.Union[str, t.Iterable[V]
 def do_attr(
     environment: "Environment", obj: t.Any, name: str
 ) -> t.Union[Undefined, t.Any]:
-    """Get an attribute of an object.  ``foo|attr("bar")`` works like
-    ``foo.bar`` just that always an attribute is returned and items are not
-    looked up.
+    """Get an attribute of an object. ``foo|attr("bar")`` works like
+    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
+    if the attribute doesn't exist.
 
     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
     """
+    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
+    # But we want to call env.getattr to get behavior such as sandboxing.
+    # Determine if the attr exists first, so we know the fallback won't trigger.
     try:
-        name = str(name)
-    except UnicodeError:
-        pass
-    else:
-        try:
-            value = getattr(obj, name)
-        except AttributeError:
-            pass
-        else:
-            if environment.sandboxed:
-                environment = t.cast("SandboxedEnvironment", environment)
-
-                if not environment.is_safe_attribute(obj, name, value):
-                    return environment.unsafe_undefined(obj, name)
-
-            return value
-
-    return environment.undefined(obj=obj, name=name)
+        # This avoids executing properties/descriptors, but misses __getattr__
+        # and __getattribute__ dynamic attrs.
+        getattr_static(obj, name)
+    except AttributeError:
+        # This finds dynamic attrs, and we know it's not a descriptor at this point.
+        if not hasattr(obj, name):
+            return environment.undefined(obj=obj, name=name)
+
+    return environment.getattr(obj, name)
 
 
 @typing.overload
  • tests/test_security.py+10 0 modified
    @@ -190,3 +190,13 @@ def run(value, arg):
 
         with pytest.raises(SecurityError):
             t.render()
+
+    def test_attr_filter(self) -> None:
+        env = SandboxedEnvironment()
+        t = env.from_string(
+            """{{ "{0.__call__.__builtins__[__import__]}"
+                  | attr("format")(not_here) }}"""
+        )
+
+        with pytest.raises(SecurityError):
+            t.render()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.