CVE-2024-34064 — Jinja2 XSS MEDIUM
🔴 CISA KEV
pypi
CVSS 5.4 · Jinja2 < 3.1.4 → 3.1.4
Jinja2's xmlattr filter does not properly sanitize keys containing spaces. An attacker can inject additional HTML attributes into the rendered output, leading to XSS. Applications using the xmlattr filter with user-controlled dictionary keys are vulnerable.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| Jinja2 | pypi | < 3.1.4 | 3.1.4 | Full fix guide → |
How to fix CVE-2024-34064
- Update Jinja2 to 3.1.4
- Run pip install -r requirements.txt
- Review any templates using the xmlattr filter with user-controlled input
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2024-34064 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is the xmlattr filter?
The xmlattr filter in Jinja2 renders a dictionary as HTML attributes. For example:
. If dictionary keys come from user input, the XSS is possible.
Does this affect Flask apps?
Yes — Flask uses Jinja2 as its template engine. Any Flask application using the xmlattr filter with user input is affected.
What's the CVSS for CVE-2024-34064?
5.4 (MEDIUM) — XSS severity varies by context. In admin interfaces or authenticated areas, the impact can be higher.