Arbitrary Code Execution in Jinja Templating Engine Affecting Pallets
CVE-2025-27516

5.4MEDIUM

Key Information:

Vendor: Pallets
Status: Jinja
Vendor: CVE Published:; 5 March 2025

What is CVE-2025-27516?

An oversight in the Jinja templating engine's sandboxed environment allows for arbitrary Python code execution by using the |attr filter in templates controlled by an attacker. This occurs in versions prior to 3.1.6, where the |attr filter improperly interacts with the sandbox, enabling the exploitation of untrusted templates. Applications leveraging Jinja must ensure they upgrade to version 3.1.6 or later to mitigate this risk, as the fix prevents bypassing the environment's attribute lookup, enhancing security against potential code execution threats.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

jinja < 3.1.6

References

https://github.com/pallets/jinja/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/pallets/jinja/commit/90457bbf33b866292...

x_refsource_MISC

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Feb 26, 2025

JSON

Pallets

What is CVE-2025-27516?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.