INFSA-2025:7476: python-jinja2 security update
Information about definition
Identificator: INFSA-2025:7476
Type: security
Release date: 2025-07-15 19:36:58 UTC
Information about package
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Vulnerabilities description
- CVE-2025-27516
A flaw was found in Jinja. In affected versions, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox.
Severity level
CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
---|---|---|---|
NIST — CVE-2025-27516
|
no information | 7.3 | no information |
Updated packages