N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-27516

GHSA ID

GHSA-cpwx-vrp4-4pq7

EPSS Score

0.34101%

CWE

CWE-1336

Published

3/5/2025

Updated

5/1/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27516

CVE-2025-27516: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method

An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-27516

GHSA ID

GHSA-cpwx-vrp4-4pq7

EPSS Score

0.34101%

CWE

CWE-1336

Published

3/5/2025

Updated

5/1/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Jinja2	pip	<= 3.1.5	3.1.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly points to the |attr filter as the source of the sandbox bypass. The provided commit 90457bbf33b8662926ae65cdde4c4c32e756e403 modifies the do_attr function in src/jinja2/filters.py. This function is the Python implementation of the |attr filter in Jinja2. The changes in the patch show that the way attributes were accessed was altered to ensure the environment's attribute lookup (which includes sandboxing) is used, specifically by calling environment.getattr. The previous implementation directly used getattr, which, in combination with how str.format was handled, allowed the bypass. Therefore, the do_attr function, in its state before this patch, is the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ov*rsi**t in *ow t** Jinj* s*n**ox** *nvironm*nt int*r**ts wit* t** `|*ttr` *ilt*r *llows *n *tt**k*r t**t *ontrols t** *ont*nt o* * t*mpl*t* to *x**ut* *r*itr*ry Pyt*on *o**. To *xploit t** vuln*r**ility, *n *tt**k*r n***s to *ontrol t** *ont*nt

Reasoning

T** vuln*r**ility **s*ription *l**rly points to t** `|*ttr` *ilt*r *s t** sour** o* t** s*n**ox *yp*ss. T** provi*** *ommit `****************************************` mo*i*i*s t** `*o_*ttr` *un*tion in `sr*/jinj**/*ilt*rs.py`. T*is *un*tion is t** Py

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-27516: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI