Listen to this Post
Skyvern versions up to 0.2.0 contain a vulnerability in `sdk/workflow/models/block.py` where improper handling of Jinja2 templates leads to runtime template injection. Attackers can exploit this flaw by injecting malicious Jinja2 expressions, allowing arbitrary code execution within the application context. The leak occurs due to insufficient sandboxing of user-supplied template inputs, enabling attackers to bypass intended restrictions and execute unintended operations.
DailyCVE Form:
Platform: Skyvern
Version: ≤ 0.2.0
Vulnerability: Jinja runtime leak
Severity: High
Date: Jun 7, 2025
Prediction: Patch by Jun 20, 2025
What Undercode Say:
Exploitation:
1. Craft a malicious Jinja2 payload:
{{ self.<strong>init</strong>.<strong>globals</strong>.<strong>builtins</strong>.eval("import('os').system('id')") }}
2. Inject via vulnerable template rendering:
from skyvern.sdk.workflow.models.block import render_template render_template(malicious_payload)
Mitigation:
1. Sanitize inputs with Jinja2 sandboxing:
from jinja2.sandbox import SandboxedEnvironment env = SandboxedEnvironment() env.from_string(user_input).render()
2. Update Skyvern to patched version post-June 20.
Detection:
Scan for anomalous template executions:
grep -r "render_template.user_input" /path/to/skyvern
Temporary Workaround:
Disable dynamic template rendering in `block.py`:
def render_template(template_str):
raise RuntimeError("Dynamic rendering disabled")
Impact Analysis:
- Critical for multi-tenant deployments.
- Low if templates are strictly pre-defined.
Patch Verification:
Post-update, confirm via:
pip show skyvern | grep Version
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXX
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
