A security update for the Jinja2 template engine has been released for Debian GNU/Linux versions 8 (Jessie), 9 (Stretch), and 10 (Buster) as part of the Extended Long Term Support (ELTS) program. This update, identified as ELA-1396-1, addresses critical vulnerabilities that could potentially allow attackers to execute arbitrary Python code through untrusted templates.
The affected versions of Jinja2 included in this update are:
- 2.7.3-1+deb8u2 for Jessie
- 2.8-1+deb9u2 for Stretch
- 2.10-2+deb10u2 for Buster
The vulnerabilities associated with this update are tracked under the following CVEs:
- CVE-2024-56326
- CVE-2025-27516
CVE-2024-56326: This vulnerability arises from an oversight in the Jinja sandbox environment, which affects how it detects calls to the `str.format` method. An attacker could exploit this vulnerability if they can manipulate the content of a template. Although Jinja’s sandbox normally prevents escaping, it’s possible for custom filters in an application to allow malicious calls to the format method. The update ensures that such indirect calls are properly handled by the sandbox.
CVE-2025-27516: This vulnerability involves the interaction of the sandbox with the `|attr` filter. Similar to the previous CVE, it allows an attacker to execute arbitrary Python code if they control the template content. This vulnerability also stems from the ability to bypass the sandbox through the `|attr` filter, which could reference the plain format method of a string. The security update rectifies this by ensuring that the `|attr` filter does not bypass the environment’s attribute lookup.
In summary, users of the affected Debian versions are advised to apply this security update promptly to mitigate the risk of potential exploitation through untrusted template rendering in applications that utilize Jinja2. It is also recommended to review application configurations and ensure that templates are handled securely to prevent further vulnerabilities
The affected versions of Jinja2 included in this update are:
- 2.7.3-1+deb8u2 for Jessie
- 2.8-1+deb9u2 for Stretch
- 2.10-2+deb10u2 for Buster
The vulnerabilities associated with this update are tracked under the following CVEs:
- CVE-2024-56326
- CVE-2025-27516
CVE-2024-56326: This vulnerability arises from an oversight in the Jinja sandbox environment, which affects how it detects calls to the `str.format` method. An attacker could exploit this vulnerability if they can manipulate the content of a template. Although Jinja’s sandbox normally prevents escaping, it’s possible for custom filters in an application to allow malicious calls to the format method. The update ensures that such indirect calls are properly handled by the sandbox.
CVE-2025-27516: This vulnerability involves the interaction of the sandbox with the `|attr` filter. Similar to the previous CVE, it allows an attacker to execute arbitrary Python code if they control the template content. This vulnerability also stems from the ability to bypass the sandbox through the `|attr` filter, which could reference the plain format method of a string. The security update rectifies this by ensuring that the `|attr` filter does not bypass the environment’s attribute lookup.
In summary, users of the affected Debian versions are advised to apply this security update promptly to mitigate the risk of potential exploitation through untrusted template rendering in applications that utilize Jinja2. It is also recommended to review application configurations and ensure that templates are handled securely to prevent further vulnerabilities
Jinja2 update for Debian ELTS
A janja2 security update has been released for Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1396-1 jinja2 security update
