CVE-2024-22195: Cross-Site Scripting (XSS) vulnerability in jinja2 (PyPI)

What is CVE-2024-22195 About?

This vulnerability in Jinja's `xmlattr` filter allows keys containing spaces, which can lead to attribute injection and Cross-Site Scripting (XSS). Its impact includes arbitrary code execution in a user's browser or session hijacking. Exploitation requires an application to accept unsanitized user input for XML/HTML attribute keys, making it moderately easy to exploit under specific circumstances.

Affected Software

jinja2 <3.1.3

Technical Details

The vulnerability resides in the xmlattr filter of affected Jinja versions. The core issue is that the filter incorrectly processes user-supplied keys for XML/HTML attributes if they contain spaces. In standard XML/HTML, a space separates attributes, meaning name value would be interpreted as two distinct attributes. If an application allows user input to define attribute keys and then uses the xmlattr filter to render these, an attacker can input a key like "onclick=alert(1)" (including the space). When Jinja renders this, onclick=alert(1) is interpreted as a new attribute, even though it was intended to be part of the key. This attribute injection can then lead to Cross-Site Scripting (XSS) if the injected attribute contains malicious JavaScript, allowing the attacker to execute arbitrary script in the context of the user's browser.

What is the Impact of CVE-2024-22195?

Successful exploitation may allow attackers to inject arbitrary client-side script code, leading to defacement of web pages, session hijacking, disclosure of sensitive data, or redirection to malicious sites via Cross-Site Scripting (XSS).

What is the Exploitability of CVE-2024-22195?

Exploitation has a moderate complexity, specifically requiring the application to accept user input for attribute keys (not just values) and use the xmlattr filter without proper sanitization. There are no direct authentication or privilege requirements to trigger the vulnerability, as it typically involves unauthenticated or authenticated user input. It is a remote vulnerability, as the attacker injects malicious input through a web interface. The crucial special condition is that input keys must be reflected in pages viewed by other users, which makes it a stored XSS scenario. The risk of exploitation increases if an application deviates from the common usage of xmlattr by allowing uncontrolled user-supplied keys, and if it fails to perform strict input validation on these keys, regardless of the filter's behavior.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2024-22195?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

The patch prevents XML/SGML attribute injection by raising a ValueError if any attribute key contains whitespace, such as spaces, tabs, or newlines. This fixes CVE-2024-22195 by blocking a class of XSS attacks where an attacker could inject malicious attributes or scripts by exploiting keys containing spaces in the Jinja2 xmlattr filter.

Available Upgrade Options

jinja2
- <3.1.3 → Upgrade to 3.1.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-22195?

Similar Vulnerabilities: CVE-2023-38408 , CVE-2023-38407 , CVE-2023-34327 , CVE-2023-28447 , CVE-2023-0182

CVE-2024-22195 Cross-Site Scripting (XSS) vulnerability in jinja2 (PyPI)