{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jinja2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssti","jinja2","rce","giskard-agents","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe giskard-agents library, specifically versions 0.3.3 and earlier, along with versions 1.0.1a1 through 1.0.2a1, contains a critical vulnerability related to server-side template injection. The \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method within the library directly passes user-provided strings to a non-sandboxed Jinja2 Environment. This design flaw allows a malicious actor to inject arbitrary Jinja2 templates into the message, which, when rendered, can lead to remote code execution (RCE) on the server hosting the application. This vulnerability exists because the \u003ccode\u003echat()\u003c/code\u003e method, intended for processing user input, inadvertently interprets the input as a Jinja2 template due to the usage of \u003ccode\u003e_inline_env.from_string()\u003c/code\u003e. Defenders should be aware of applications using the vulnerable \u003ccode\u003echat()\u003c/code\u003e method which creates the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious string containing a Jinja2 payload designed for RCE.\u003c/li\u003e\n\u003cli\u003eThe attacker inputs the malicious string into a user interface or API endpoint that utilizes the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application passes the attacker-controlled string to the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e creates a \u003ccode\u003eMessageTemplate\u003c/code\u003e object with the attacker\u0026rsquo;s string as the \u003ccode\u003econtent_template\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erender()\u003c/code\u003e method of the \u003ccode\u003eMessageTemplate\u003c/code\u003e object calls \u003ccode\u003e_inline_env.from_string()\u003c/code\u003e on the attacker-controlled string, creating a Jinja2 template.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etemplate.render()\u003c/code\u003e method is invoked, executing the attacker\u0026rsquo;s Jinja2 payload due to the non-sandboxed Jinja2 Environment.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload leverages Jinja2 class traversal to gain access to sensitive modules like \u003ccode\u003eos\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary system commands via \u003ccode\u003eos.popen()\u003c/code\u003e (or equivalent), achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary system commands on the server hosting the affected application. This could lead to complete compromise of the server, including data theft, modification, or destruction. The severity of the impact is critical, potentially affecting any application that relies on giskard-agents for chatbot functionality and exposes the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method to user input. Affected versions include giskard-agents \u0026lt;=0.3.3 and 1.0.x alpha. Patched versions are giskard-agents 0.3.4 (stable) and 1.0.2b1 (pre-release).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade giskard-agents to version 0.3.4 or 1.0.2b1, which includes the fix mitigating the vulnerability described in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Giskard Agents SSTI Attempt via Jinja2 Class Traversal\u003c/code\u003e to detect exploitation attempts via \u003ccode\u003ewebserver\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize user inputs passed to the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method to prevent Jinja2 template injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T22:17:30Z","date_published":"2026-03-27T22:17:30Z","id":"/briefs/2024-01-02-giskard-ssti/","summary":"Giskard-agents versions 0.3.3 and earlier, and versions 1.0.1a1 through 1.0.2a1 are vulnerable to remote code execution via server-side template injection where the ChatWorkflow.chat() method passes user-supplied strings directly to a non-sandboxed Jinja2 Environment, allowing attackers to execute arbitrary code on the server.","title":"Giskard-agents ChatWorkflow.chat() Server-Side Template Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-02-giskard-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed — Jinja2","version":"https://jsonfeed.org/version/1.1"}