CVE-2024-56326: 
Python vulnerability analysis and mitigation

Jinja is an extensible templating engine that experienced a security vulnerability (CVE-2024-56326) prior to version 3.1.5. The vulnerability was discovered in December 2024 and involves an oversight in how the Jinja sandboxed environment detects calls to str.format, potentially allowing an attacker that controls the content of a template to execute arbitrary Python code (GitHub Advisory).

The vulnerability stems from an oversight in the sandbox implementation where indirect calls to str.format were not properly handled. While Jinja's sandbox catches direct calls to str.format and ensures they don't escape the sandbox, attackers could store a reference to a malicious string's format method and then pass that to a filter that calls it. This bypass method works even though no such filters are built into Jinja, as they could be present through custom filters in an application (GitHub Advisory). The vulnerability has been assigned a CVSS v4.0 base score of 5.4 (Moderate) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability allows attackers who control template content to potentially execute arbitrary Python code. This particularly impacts applications that execute untrusted templates. The impact metrics indicate High severity for Confidentiality, Integrity, and Availability of the vulnerable system, though there is no impact on subsequent systems (GitHub Advisory).

The vulnerability has been fixed in Jinja version 3.1.5. After the fix, indirect calls to str.format are properly handled by the sandbox. Users are advised to upgrade to version 3.1.5 or later to address this security issue (GitHub Release).