Pallets Jinja up to 3.1.4 str.format special elements used in a template engine
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Pallets Jinja up to 3.1.4 and classified as critical. This impacts the function str.format. The manipulation results in improper neutralization of special elements used in a template engine.
This vulnerability was named CVE-2024-56326. The attack needs to be approached locally. There is no available exploit.
It is suggested to upgrade the affected component.
Details
A vulnerability classified as critical has been found in Pallets Jinja up to 3.1.4. Affected is the function str.format. The manipulation with an unknown input leads to a improper neutralization of special elements used in a template engine vulnerability. CWE is classifying the issue as CWE-1336. The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5.
The advisory is shared for download at github.com. This vulnerability is traded as CVE-2024-56326 since 12/19/2024. The exploitability is told to be easy. The attack needs to be approached locally. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1221.
The vulnerability scanner Nessus provides a plugin with the ID 213487 (SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-Jinja2 (SUSE-SU-2025:0006-1)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 3.1.5 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 48b0687e05a5466a91cd5812d604fa37ad0943b4 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (213487) and EUVD (EUVD-2024-3607). Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
Version
License
Website
- Product: https://github.com/pallets/jinja/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CNA CVSS-B Score: 🔍
CNA CVSS-BT Score: 🔍
CNA Vector: 🔍
CVSSv3
VulDB Meta Base Score: 7.8VulDB Meta Temp Score: 7.6
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 7.8
CNA Vector (GitHub_M): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Improper neutralization of special elements used in a template engineCWE: CWE-1336 / CWE-791 / CWE-790
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 213487
Nessus Name: SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-Jinja2 (SUSE-SU-2025:0006-1)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Jinja 3.1.5
Patch: 48b0687e05a5466a91cd5812d604fa37ad0943b4
Timeline
12/19/2024 🔍12/23/2024 🔍
12/23/2024 🔍
11/03/2025 🔍
Sources
Product: github.comAdvisory: GHSA-q2x7-8rv6-6q7h
Status: Confirmed
CVE: CVE-2024-56326 (🔍)
GCVE (CVE): GCVE-0-2024-56326
GCVE (VulDB): GCVE-100-289188
EUVD: 🔍
Entry
Created: 12/23/2024 17:31Updated: 11/03/2025 22:09
Changes: 12/23/2024 17:31 (70), 12/24/2024 03:58 (11), 12/24/2024 14:32 (1), 12/27/2024 21:49 (5), 01/04/2025 11:41 (2), 11/03/2025 22:09 (1)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.