Bug 2350190 (CVE-2025-27516)

Summary: CVE-2025-27516 jinja2: Jinja sandbox breakout through attr filter selecting format method
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, adudiak, ahrabovs, aprice, aucunnin, bbrownin, bdettelb, brking, caswilli, cdaley, dfreiber, dhanak, dnakabaa, doconnor, dranck, drow, dsimansk, eglynn, gtanzill, haoli, hkataria, jajackso, jburrell, jcammara, jchui, jdobes, jeder, jforrest, jhe, jjoyce, jkoehler, jmitchel, jneedle, jsamir, jschluet, jtanner, jwong, kaycoth, kegrant, kgaikwad, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lcouzens, lhh, ljawale, lphiri, lsvaty, luizcosta, mabashia, matzew, mburns, mgarciac, mnovotny, mpierce, mskarbek, mstoklus, nboldt, nweather, oezr, omaciel, orabin, pbraun, pgrist, pierdipi, psegedy, psrna, rbobbitt, rguimara, rhuss, sausingh, shvarugh, simaishi, smcdonal, stcannon, sthirugn, teagle, tfister, thavo, ttakamiy, vkrizan, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Jinja. In affected versions, an oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-03-05 21:01:31 UTC 
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Comment 2 Fedora Update System 2025-03-11 01:34:00 UTC 
FEDORA-2025-cd7f5876b2 (python-jinja2-3.1.6-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 errata-xmlrpc 2025-03-11 15:12:57 UTC 
This issue has been addressed in the following products:

  Ansible Automation Platform Execution Environments

Via RHSA-2025:2664 https://access.redhat.com/errata/RHSA-2025:2664
Comment 4 errata-xmlrpc 2025-03-12 15:38:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:2688 https://access.redhat.com/errata/RHSA-2025:2688
Comment 5 Fedora Update System 2025-03-15 00:43:06 UTC 
FEDORA-2025-bb0ea8b8c0 (python-jinja2-3.1.6-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2025-03-18 19:45:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3017 https://access.redhat.com/errata/RHSA-2025:3017
Comment 7 errata-xmlrpc 2025-03-24 10:49:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3111 https://access.redhat.com/errata/RHSA-2025:3111
Comment 8 errata-xmlrpc 2025-03-24 14:07:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3113 https://access.redhat.com/errata/RHSA-2025:3113
Comment 9 errata-xmlrpc 2025-03-24 17:50:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:3123 https://access.redhat.com/errata/RHSA-2025:3123
Comment 10 errata-xmlrpc 2025-03-24 23:58:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:3124 https://access.redhat.com/errata/RHSA-2025:3124
Comment 11 Fedora Update System 2025-03-25 00:57:56 UTC 
FEDORA-2025-8b6aa24ab4 (python-jinja2-3.1.6-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2025-03-25 12:23:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:3160 https://access.redhat.com/errata/RHSA-2025:3160
Comment 13 errata-xmlrpc 2025-03-25 17:10:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:3162 https://access.redhat.com/errata/RHSA-2025:3162
Comment 15 errata-xmlrpc 2025-03-27 18:38:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:3371 https://access.redhat.com/errata/RHSA-2025:3371
Comment 16 errata-xmlrpc 2025-03-31 02:05:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3388 https://access.redhat.com/errata/RHSA-2025:3388
Comment 17 errata-xmlrpc 2025-03-31 14:00:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3406 https://access.redhat.com/errata/RHSA-2025:3406
Comment 18 errata-xmlrpc 2025-04-03 06:00:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:3562 https://access.redhat.com/errata/RHSA-2025:3562
Comment 19 errata-xmlrpc 2025-04-03 09:44:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:3580 https://access.redhat.com/errata/RHSA-2025:3580
Comment 20 errata-xmlrpc 2025-04-03 10:32:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3585 https://access.redhat.com/errata/RHSA-2025:3585
Comment 21 errata-xmlrpc 2025-04-03 10:35:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3586 https://access.redhat.com/errata/RHSA-2025:3586
Comment 22 errata-xmlrpc 2025-04-03 10:44:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3588 https://access.redhat.com/errata/RHSA-2025:3588
Comment 23 errata-xmlrpc 2025-04-07 02:14:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:3622 https://access.redhat.com/errata/RHSA-2025:3622
Comment 24 errata-xmlrpc 2025-04-08 05:52:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:3671 https://access.redhat.com/errata/RHSA-2025:3671
Comment 25 errata-xmlrpc 2025-04-09 01:20:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:3568 https://access.redhat.com/errata/RHSA-2025:3568
Comment 27 errata-xmlrpc 2025-04-16 02:19:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:3789 https://access.redhat.com/errata/RHSA-2025:3789
Comment 28 errata-xmlrpc 2025-04-16 06:12:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3775 https://access.redhat.com/errata/RHSA-2025:3775
Comment 29 errata-xmlrpc 2025-04-17 00:57:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:3779 https://access.redhat.com/errata/RHSA-2025:3779
Comment 30 errata-xmlrpc 2025-04-22 14:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4018 https://access.redhat.com/errata/RHSA-2025:4018
Comment 31 errata-xmlrpc 2025-04-30 01:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4203 https://access.redhat.com/errata/RHSA-2025:4203
Comment 33 errata-xmlrpc 2025-05-08 19:30:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:4408 https://access.redhat.com/errata/RHSA-2025:4408
Comment 34 errata-xmlrpc 2025-05-09 04:33:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4431 https://access.redhat.com/errata/RHSA-2025:4431
Comment 35 errata-xmlrpc 2025-05-13 15:57:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7476 https://access.redhat.com/errata/RHSA-2025:7476
Comment 36 errata-xmlrpc 2025-05-15 00:27:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:4730 https://access.redhat.com/errata/RHSA-2025:4730