-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| skyvern | pip | <= 0.2.0 |
PythonPythonMiggo AIRoot Cause AnalysisThe vulnerability is a Jinja runtime leak, specifically a template injection vulnerability, in the skyvern.forge.sdk.workflow.models.block.Block.format_block_parameter_template_from_workflow_run_context function. The provided commit db856cd8433a204c8b45979c70a4da1e119d949d shows that the jinja2.Template class, which is known to be unsafe when used with untrusted template strings, was replaced with jinja2.sandbox.SandboxedEnvironment. This change directly points to the format_block_parameter_template_from_workflow_run_context method as the location where the unsafe template rendering occurred. The potential_template variable, if sourced from user input or an otherwise untrusted context, could be crafted to exploit the Jinja2 engine. The use of SandboxedEnvironment is the standard mitigation for such vulnerabilities in Jinja2.
Ongoing coverage of React2Shell