CVE-2021-45116 in Django
Summary
by MITRE • 01/05/2022
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/22/2025
This vulnerability in Django represents a critical template injection flaw that exploits the framework's variable resolution mechanism within the dictsort template filter. The issue stems from insufficient input validation and sanitization when processing user-supplied keys in template contexts, creating potential pathways for unauthorized data access and arbitrary code execution. The vulnerability affects multiple Django versions including 2.2.x before 2.2.26, 3.2.x before 3.2.11, and 4.0.x before 4.0.1, indicating a widespread impact across the Django ecosystem. The root cause lies in how the dictsort filter handles variable resolution, allowing attackers to craft malicious keys that could trigger unintended method calls or expose sensitive information through the template processing pipeline.
The technical exploitation occurs when the dictsort template filter processes user-controllable input without proper sanitization, enabling attackers to manipulate the variable resolution logic. This creates opportunities for information disclosure attacks where sensitive data might be accessed through unintended object traversal or method invocation. The vulnerability leverages the template language's ability to resolve variables and attributes, potentially allowing attackers to call methods on objects that should remain inaccessible. This type of flaw aligns with CWE-20: Improper Input Validation and CWE-94: Improper Control of Generation of Code, as it involves both inadequate input validation and potential code execution through template processing.
From an operational perspective, this vulnerability poses significant risks to applications that utilize user-supplied data in template contexts, particularly those implementing sorting functionality with dynamic keys. Attackers could potentially extract sensitive information from application memory, access protected methods or properties, or trigger unintended behavior within the application's template processing engine. The impact extends beyond simple information disclosure to potentially enable more severe attacks depending on the application's architecture and the data exposed through the template system. Organizations running affected Django versions face immediate security risks, especially those with applications that process untrusted input through template filters.
The recommended mitigation strategy involves upgrading to the patched versions of Django, specifically 2.2.26, 3.2.11, or 4.0.1 respectively, which contain fixes that properly validate and sanitize input to the dictsort template filter. Additionally, organizations should implement input validation at multiple layers, including template rendering contexts and user input sanitization, to prevent malicious keys from reaching the vulnerable filter. Security teams should also conduct thorough code reviews to identify any custom template filters or modifications that might introduce similar vulnerabilities, implementing principle of least privilege for template variable access and ensuring proper escaping of user-supplied data before template processing. This vulnerability demonstrates the importance of secure template design and proper input validation in web application frameworks, aligning with ATT&CK technique T1213: Data from Information Repositories and T1068: Exploitation for Privilege Escalation.