CVE-2025-27516
Published: 05 March 2025
Summary
CVE-2025-27516 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Palletsprojects Jinja. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely patching of the sandbox escape vulnerability in Jinja versions prior to 3.1.6, directly eliminating the |attr filter bypass.
Validates untrusted template content to prevent injection of malicious |attr filter constructs that enable arbitrary code execution.
Minimizes exposure by restricting or prohibiting untrusted template rendering and sandbox usage unless essential to operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables arbitrary Python code execution by bypassing Jinja sandbox restrictions via the |attr filter, mapping to Python scripting interpreter usage.
NVD Description
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the…
more
vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Deeper analysisAI
CVE-2025-27516 is a sandbox escape vulnerability in Jinja, an extensible templating engine for Python, affecting versions prior to 3.1.6. The issue stems from an oversight in how the Jinja sandboxed environment handles the |attr filter, which allows an attacker controlling the content of a template to execute arbitrary Python code. Specifically, while the sandbox blocks calls to str.format to prevent escapes, the |attr filter can be used to obtain a reference to a string's underlying format method, bypassing these restrictions. This impacts applications that use Jinja to execute untrusted templates.
An attacker must control the content of a template rendered by a vulnerable Jinja instance to exploit this flaw, with feasibility depending on the application's design—such as web apps allowing user-supplied templates. Exploitation enables arbitrary Python code execution within the sandboxed context. The CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects a local attacker with low privileges requiring low complexity and no user interaction, achieving high impacts on confidentiality, integrity, and availability due to the changed scope.
The vulnerability is fixed in Jinja 3.1.6, where the |attr filter no longer bypasses the environment's attribute lookup restrictions. Official advisories, including the GitHub security advisory (GHSA-cpwx-vrp4-4pq7) and the associated commit, detail the patch. Debian LTS announcements confirm backported fixes for affected distributions. Security practitioners should upgrade to Jinja 3.1.6 or later and audit applications for untrusted template execution.
Details
- CWE(s)