CVE-2024-56201: Jinja Templating Engine Arbitrary Code Execution Vulnerability in Versions prior to 3.1.5

Jinja is a popular and extensible templating engine used in various Python-based web frameworks and applications. A significant security vulnerability (CVE-2024-56201) has been identified in the 3.x branch of Jinja versions prior to 3.1.5. This vulnerability enables an attacker to execute arbitrary Python code if they have control over both the content and filename of a template, even with Jinja's sandbox protection enabled.

In this post, we will discuss the details of this vulnerability, showcase a sample code snippet to demonstrate the exploit, and provide resources where you can find more information and get the patch to update your Jinja version to the latest secure release (3.1.5).

Exploit Details

The vulnerability is present in Jinja's compiler, which, under specific circumstances, allows an attacker executing a template with a controlled filename and content to inject arbitrary Python code. This could potentially lead to harmful effects, including unauthorized access to system resources, modification of data, or even complete system compromises.

It's important to understand that applications are only impacted if they execute untrusted templates where the template author can also choose the template filename. For example, if an application allows users to upload both the template content and filename without restrictions, it may be more vulnerable to this bug.

The following code snippet illustrates the vulnerability in action

from jinja2 import Environment
from jinja2.loaders import DictLoader

# Attacker-controlled content
malicious_template = "{% for i in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in i.__name__.lower() %}{{ i()._module.__builtins__[\"__import__\"](\"os\").system(\"touch exploit-marker\") }}{% endif %}{% endfor %}"

# Attacker-controlled filename
malicious_filename = "{{().__class__.__mro__[1].__subclasses__().index(().__class__.__mro__[1].__subclasses__()|list) }}"

The code snippet demonstrates an attacker controlling both the template content and filename, which could result in the execution of arbitrary Python code on the victim's system.

Original References

1. Jinja Official Website: https://jinja.palletsprojects.com/
2. Jinja GitHub Repository: https://github.com/pallets/jinja
3. Jinja Changelog (with 3.1.5 patch details): https://github.com/pallets/jinja/blob/main/CHANGES.rst#version-315
4. Jinja Vulnerability Report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56201

Mitigation

To protect yourself from this vulnerability, ensure you are using Jinja version 3.1.5 or later. You can verify your Jinja version by running the following command:

pip show Jinja2

If you are using an older version, you can update Jinja by running

pip install --upgrade Jinja2

Conclusion

In conclusion, the CVE-2024-56201 vulnerability in Jinja's compiler poses a significant threat to applications using Jinja if an attacker can control both the template content and filename. Therefore, it is crucial to update to 3.1.5 to safeguard your applications from this bug. Additionally, if you maintain or use an application that relies on Jinja, ensure proper restrictions are enforced to prevent attackers from controlling the template content and filename.

Timeline

Published on: 12/23/2024 16:15:07 UTC
Last modified on: 01/08/2025 16:15:36 UTC