CVE-2024-56201 — Improper Neutralization of Escape, Meta, or Control Sequences in Jinja

CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences13 documents8 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 35.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pocoo Jinja2 Palletsprojects Jinja Pallets Jinja

Timeline

PublishedDec 23

Latest updateMar 12

Description

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages5 packages

▶PyPIpocoo/jinja23.0.0 — 3.1.5

▶NVDpalletsprojects/jinja3.0.0 — 3.1.5

▶Debianpocoo/jinja2< 3.1.2-1+deb12u2+2

▶Ubuntupocoo/jinja2< 2.10.1-2ubuntu0.5+9

▶CVEListV5pallets/jinja>= 3.0.0, < 3.1.5

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

jinja2 regression↗2025-03-12

▶

OSV

jinja2 vulnerabilities↗2025-03-11

▶

OSV

jinja2 vulnerabilities↗2025-01-30

▶

CVEList

Jinja has a sandbox breakout through malicious filenames↗2024-12-23

▶

OSV

CVE-2024-56201: Jinja is an extensible templating engine↗2024-12-23

▶

📋Vendor Advisories

Ubuntu

Jinja2 vulnerabilities↗2025-03-11

▶

Ubuntu

Jinja2 vulnerabilities↗2025-01-30

▶

Red Hat

jinja2: Jinja has a sandbox breakout through malicious filenames↗2024-12-23

▶

Microsoft

Jinja has a sandbox breakout through malicious filenames↗2024-12-10

▶

Debian

CVE-2024-56201: jinja2 - Jinja is an extensible templating engine. In versions on the 3.x branch prior to...↗2024

▶