-
-
Notifications
You must be signed in to change notification settings - Fork 70
chore(deps): update dependency jinja2 to v3.1.6 [security] - autoclosed #224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Quality Gate Passed Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
@renovate
renovate
bot
changed the title
(削除) Update dependency jinja2 to v3.1.5 [SECURITY] (削除ここまで)
(追記) chore(deps): update dependency jinja2 to v3.1.5 [security] (追記ここまで)
Jan 3, 2025
@renovate
renovate
bot
changed the title
(削除) chore(deps): update dependency jinja2 to v3.1.5 [security] (削除ここまで)
(追記) chore(deps): update dependency jinja2 to v3.1.6 [security] (追記ここまで)
Mar 6, 2025
@renovate
renovate
bot
force-pushed
the
renovate/pypi-jinja2-vulnerability
branch
from
March 6, 2025 05:25
95faccc to
8ffd8a5
Compare
Quality Gate Passed Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
@renovate
renovate
bot
changed the title
(削除) chore(deps): update dependency jinja2 to v3.1.6 [security] (削除ここまで)
(追記) chore(deps): update dependency jinja2 to v3.1.6 [security] - autoclosed (追記ここまで)
Sep 5, 2025
@renovate
renovate
bot
deleted the
renovate/pypi-jinja2-vulnerability
branch
September 5, 2025 18:08
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
This PR contains the following updates:
==3.1.4->==3.1.6GitHub Vulnerability Alerts
CVE-2024-56326
An oversight in how the Jinja sandboxed environment detects calls to
str.formatallows an attacker that controls the content of a template to execute arbitrary Python code.To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to
str.formatand ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string'sformatmethod, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.CVE-2024-56201
A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.
To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.
CVE-2025-27516
An oversight in how the Jinja sandboxed environment interacts with the
|attrfilter allows an attacker that controls the content of a template to execute arbitrary Python code.To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to
str.formatand ensures they don't escape the sandbox. However, it's possible to use the|attrfilter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the|attrfilter no longer bypasses the environment's attribute lookup.Release Notes
pallets/jinja (jinja2)
v3.1.6Compare Source
Released 2025年03月05日
|attrfilter does not bypass the environment's attribute lookup,allowing the sandbox to apply its checks. :ghsa:
cpwx-vrp4-4pq7v3.1.5Compare Source
Released 2024年12月21日
str.format, such asby passing a stored reference to a filter that calls its argument.
:ghsa:
q2x7-8rv6-6q7hissues with names that contain f-string syntax.
:issue:
1792, :ghsa:gmj6-6f8f-6699clearandpopon known mutable sequencetypes. :issue:
2032renderfor an async template usesasyncio.run.:pr:
1952auto_aiterwarnings. :pr:1960aclose-ableAsyncGeneratorfromTemplate.generate_async. :pr:1960root_render_func()unclosed inTemplate.generate_async. :pr:1960:pr:
1960concatfunction for the current environmentwhen calling block references. :issue:
1701|uniqueasync-aware, allowing it to be used after anotherasync-aware filter. :issue:
1781|intfilter handlesOverflowErrorfrom scientific notation.:issue:
1921{% set ... %}call. :issue:
2021copy/pickle/etc) interaction withUndefinedobjects. :issue:
2025copy/picklesupport for the internalmissingobject.:issue:
2027Environment.overlay(enable_async)is applied correctly. :pr:2061FileSystemLoaderincludes the paths that weresearched. :issue:
1661PackageLoadershows a clearer error message when the package does notcontain the templates directory. :issue:
17051880urlizedoes not addmailto:to values like@a@b. :pr:1870@pass_context`` can be used with the ``|select`` filter. :issue:1624`setfor multiple assignment (a, b = 1, 2) does not fail when thetarget is a namespace attribute. :issue:
1413setin all branches of{% if %}{% elif %}{% else %}blocksdoes not cause the variable to be considered initially undefined.
:issue:
1253Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.