INFSA-2025:7476: python-jinja2 security update

Information about definition

Identificator: INFSA-2025:7476

Type: security

Release date: 2025-07-15 19:36:58 UTC

Information about package

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Vulnerabilities description

  • CVE-2025-27516

    A flaw was found in Jinja. In affected versions, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox.

Severity level

CVE Score CVSS 2.0 Score CVSS 3.x Score CVSS 4.0
no information 7.3 no information
Critical, important, moderate, low

Updated packages