CVE-2024-56201: 
Python vulnerability analysis and mitigation

Jinja is an extensible templating engine that contains a vulnerability (CVE-2024-56201) discovered in versions prior to 3.1.5. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. The vulnerability was disclosed in December 2024 and affects all versions on the 3.x branch before version 3.1.5 (GitHub Advisory).

The vulnerability stems from a bug in the Jinja compiler where template filenames containing f-string syntax could be improperly handled during error message generation. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. The issue was assigned a CVSS v4.0 base score of 5.4 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary Python code in applications that execute untrusted templates where the template author can also choose the template filename. This can lead to a complete compromise of the affected system's confidentiality, integrity, and availability within the context of the application (GitHub Advisory).

The vulnerability has been fixed in Jinja version 3.1.5. Users should upgrade to this version to protect against this security issue. The fix involves properly escaping template names before formatting them into error messages to prevent f-string syntax exploitation (Jinja Release).