-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Jinja2 | pip | < 3.1.4 | 3.1.4 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the xmlattr filter, which is implemented by the do_xmlattr function in src/jinja2/filters.py. The provided commit patch directly modifies this function to enhance the validation of keys passed to it. The patch changes the regular expression used to validate attribute keys from only checking for spaces (_space_re) to checking for a broader set of invalid characters (_attr_key_re, which includes /, >, =, and whitespace). This change explicitly addresses the described vulnerability where keys containing these characters were not properly handled, allowing for attribute injection. Therefore, jinja2.filters.do_xmlattr is the function that, in its unpatched state, processes the malicious input (the attribute keys) and is directly responsible for the vulnerability.
Ongoing coverage of React2Shell