Dynaconf Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in Dynaconf, a Python configuration management tool, in versions prior to 3.2.13. The issue arises from server-side template injection (SSTI) due to unsafe template evaluation in the Jinja resolver. When the Jinja2 package is installed, Dynaconf processes template expressions in configuration values without a sandboxed environment. This vulnerability allows attackers to execute arbitrary OS commands on the host system by injecting malicious templates through various configuration sources, such as environment variables, .env files, container environment settings, and CI/CD secrets. Additionally, the @Format resolver can be exploited to access sensitive runtime objects and environment variables.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, access to sensitive environment variables, and compromise of application secrets, potentially leading to a full compromise of the running application process.

Reproduction

To reproduce this vulnerability, inject a malicious Jinja template into a Dynaconf setting via an environment variable or another configuration source. When the Jinja resolver is used, the injected template will be executed, allowing access to Python's globals and the os module. This can be automated with a script that sets the environment variable with the payload and then accesses the vulnerable configuration through Dynaconf.

Remediation

Users are advised to update Dynaconf to version 3.2.13 or later, where this vulnerability has been patched. For those using Jinja2 templates, ensure to use the SandboxedEnvironment to prevent execution of untrusted code.