CVE-2024-34064: Cross-site Scripting (XSS) vulnerability in jinja2 (PyPI)

What is CVE-2024-34064 About?

This vulnerability in Jinja's `xmlattr` filter allows keys containing non-attribute characters, which can lead to Cross-site Scripting (XSS) if user-supplied keys are rendered. An attacker can inject other attributes using characters like '/', '>', or '='. Exploiting this requires an application to accept and render user input as `xmlattr` keys without validation.

Affected Software

jinja2 <3.1.4

Technical Details

The xmlattr filter in affected Jinja versions incorrectly handles keys containing characters that are invalid in standard XML/HTML attributes (e.g., spaces, '/', '>', '='). Instead of rejecting or sanitizing these, it processes them, leading to malformed attribute lists. If an application accepts user input as keys for the xmlattr filter and then renders this without proper validation, an attacker can craft input such as key/value=malicious to inject additional, unintended attributes. For example, injecting onclick='alert(1)' as part of an attribute key would then result in an onclic attribute and another k='alert(1)' attribute, potentially leading to Cross-site Scripting (XSS) when rendered in a user's browser. This bypasses the fix for CVE-2024-22195 which only addressed spaces.

What is the Impact of CVE-2024-34064?

Successful exploitation may allow attackers to inject malicious scripts into web pages, leading to Cross-site Scripting (XSS), session hijacking, data theft, or defacement of the affected website.

What is the Exploitability of CVE-2024-34064?

Exploitation of this vulnerability is of moderate complexity. It critically depends on an application's use case: an application must accept keys (not just values) for the xmlattr filter as user input without subsequent validation. Remote access is required as the attack involves submitting malicious input to a web application. No specific authentication is needed if the input path is publicly accessible; otherwise, an authenticated user could exploit it. Privilege requirements are minimal, limited to the ability to submit input. The special condition is the application's explicit design choice to use user-supplied data as xmlattr keys, which is now considered an unintended use case. The likelihood of exploitation increases if application developers are unaware of this nuance and directly pass untrusted strings as xmlattr keys.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2024-34064?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

This patch expands input validation in Jinja2's xmlattr filter by rejecting attribute keys containing space, solidus (/), greater-than (>), or equals (=) characters, raising a ValueError if such characters are present. This prevents attackers from injecting crafted attribute names that could break out of attributes and introduce malicious code or XSS, which is the core issue fixed in CVE-2024-34064.

Available Upgrade Options

jinja2
- <3.1.4 → Upgrade to 3.1.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-34064?

Similar Vulnerabilities: CVE-2024-22195 , CVE-2023-38408 , CVE-2022-24756 , CVE-2021-33190 , CVE-2020-5240

CVE-2024-34064 Cross-site Scripting (XSS) vulnerability in jinja2 (PyPI)