Listen to this Post
How CVE-2025-3841 Works
The vulnerability in Wix-Incubator Jam (up to commit e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9) stems from improper neutralization of user-supplied input in the `config[‘template’]` parameter within the Jinja2 template engine. Attackers can exploit this flaw by injecting malicious template syntax, leading to server-side template injection (SSTI). Since the attack is limited to the local host, it requires prior access, but successful exploitation could allow arbitrary code execution or sensitive data exposure. The issue arises due to insufficient input validation before processing dynamic templates.
DailyCVE Form
Platform: Wix-Incubator Jam
Version: <= e87a6fd85cf8
Vulnerability: SSTI
Severity: Medium
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Check vulnerable version
git clone https://github.com/wix-incubator/jam
git checkout e87a6fd85cf8
Exploit PoC (local)
curl -X POST -d "config[bash]={{77}}" http://localhost/jam.py
How Exploit
- Craft malicious Jinja2 payload in
config['template']. - Trigger SSTI via local API call.
- Execute arbitrary Python code.
Protection from this CVE
- Update to patched version.
- Sanitize template inputs.
- Restrict localhost access.
Impact
- Local code execution.
- Data leakage.
- Privilege escalation.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
