Headline
GHSA-m49c-g9wr-hv6v: jinjava has Sandbox Bypass via JavaType-Based Deserialization
Summary
jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass(), and block instantiation of Class objects. However, these protections can be bypassed.
By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals.
As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE).
Details
jinjava templates expose a built-in variable ____int3rpr3t3r____, which provides direct access to the jinjavaInterpreter instance.
This variable was previously abused (see Add interpreter to blacklist), and while protections were added to prevent call method from JinjavaInterpreter instances.
However, interacting with the properties of JinjavaInterpreter instances remains unrestricted.
From ____int3rpr3t3r____, it is possible to traverse to the config field, which exposes an ObjectMapper. By invoking readValue(String content, JavaType valueType) on this ObjectMapper, an attacker can instantiate arbitrary classes specified via JavaType.
Although jinjava explicitly restricts dangerous classes such as Class, ClassLoader, and so on inside JinjavaBeanELResolver, the JavaType class itself is not restricted.
As a result, an attacker can leverage JavaType construction (constructFromCanonical) to instantiate semi-arbitrary classes without directly calling restricted methods.
This allows sandbox escape and the creation of powerful primitives. For example, instantiating java.net.URL enables reading arbitrary files, as shown in the following PoC (tested on Jinjava 2.8.0):
{% set mapper = ____int3rpr3t3r____.config.objectMapper %}
{{ mapper.enableDefaultTyping() }}
{% set file = mapper.readValue('"file:///etc/passwd"', mapper.getTypeFactory().constructFromCanonical('java.net.URL')) %}
{% set inputStream = file.openStream() %}
{% set bytes = inputStream.readAllBytes() %}
{% set stringType = mapper.getTypeFactory().constructFromCanonical('java.lang.String') %}
{% set content = mapper.convertValue(bytes, stringType) %}
{{ content }}
Impact
Escape the Jinjava sandbox and instantiate a wide range of classes using JavaType.
This capability can be used to read arbitrary files, such as /proc/self/environ, and to perform full read SSRF by creating network-related objects.
In certain environments, depending on the available classes, this primitive can even lead to complete remote code execution.
Summary
jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass(), and block instantiation of Class objects. However, these protections can be bypassed.
By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals.
As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE).
Details
jinjava templates expose a built-in variable ____int3rpr3t3r____, which provides direct access to the jinjavaInterpreter instance.
This variable was previously abused (see Add interpreter to blacklist), and while protections were added to prevent call method from JinjavaInterpreter instances.
However, interacting with the properties of JinjavaInterpreter instances remains unrestricted.
From ____int3rpr3t3r____, it is possible to traverse to the config field, which exposes an ObjectMapper. By invoking readValue(String content, JavaType valueType) on this ObjectMapper, an attacker can instantiate arbitrary classes specified via JavaType.
Although jinjava explicitly restricts dangerous classes such as Class, ClassLoader, and so on inside JinjavaBeanELResolver, the JavaType class itself is not restricted.
As a result, an attacker can leverage JavaType construction (constructFromCanonical) to instantiate semi-arbitrary classes without directly calling restricted methods.
This allows sandbox escape and the creation of powerful primitives. For example, instantiating java.net.URL enables reading arbitrary files, as shown in the following PoC (tested on Jinjava 2.8.0):
{% set mapper = ____int3rpr3t3r____.config.objectMapper %}
{{ mapper.enableDefaultTyping() }}
{% set file = mapper.readValue('"file:///etc/passwd"', mapper.getTypeFactory().constructFromCanonical('java.net.URL')) %}
{% set inputStream = file.openStream() %}
{% set bytes = inputStream.readAllBytes() %}
{% set stringType = mapper.getTypeFactory().constructFromCanonical('java.lang.String') %}
{% set content = mapper.convertValue(bytes, stringType) %}
{{ content }}
Impact
Escape the Jinjava sandbox and instantiate a wide range of classes using JavaType.
This capability can be used to read arbitrary files, such as /proc/self/environ, and to perform full read SSRF by creating network-related objects.
In certain environments, depending on the available classes, this primitive can even lead to complete remote code execution.
References
- GHSA-m49c-g9wr-hv6v
- HubSpot/jinjava@66df351
- https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.1
Related news
The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach. This week’s recap explores the trends driving that constant churn: how threat