# Dify — SSTI/code execution risk via unsandboxed Jinja2 template transform
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: Dify | platform: huntr | repo: langgenius/dify | commit: 2026-02-12-scan

````
Repository URL: https://github.com/langgenius/dify
Package Manager: poetry/pip
Version Affected: latest (observed in 2026-02-12 scan)
Vulnerability Type: Improper Neutralization of Special Elements Used in a Template Engine
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: Low
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: High
  Availability: High
Title: Template transform uses jinja2.Template directly without sandboxing
Impact: Code execution in template runtime context (sandbox service), with potential network-enabled lateral movement depending on sandbox isolation and outbound policy.
Description:

# Description

The template-transform code path uses `jinja2.Template()` directly rather than a sandboxed Jinja2 environment. This permits execution of template expressions beyond safe interpolation when attacker-controlled template content is processed.

The finding context indicates this path runs inside Dify's external sandbox service, and that sandbox is configured with network access (`enable_network=True`), making successful SSTI useful for internal probing/exfiltration from sandbox context.

# Proof of Concept

1. Create or modify a workflow node that evaluates user-controlled Jinja2 template text.
2. Supply SSTI payload in template body.
3. Execute workflow and observe expression execution effects.

Example payload pattern:

```jinja2
{{ cycler.__init__.__globals__.os.popen('id').read() }}
```

Expected vulnerable behavior: expression evaluation exceeds simple variable substitution due to direct `Template()` evaluation path.

### Impact

Code execution in template runtime context (sandbox service), with potential network-enabled lateral movement depending on sandbox isolation and outbound policy.

### Occurrences

```
Permalink: https://github.com/langgenius/dify/blob/main/api/core/helper/code_executor/jinja2/jinja2_transformer.py#L47
Description: Jinja2 template execution path uses direct template compilation/evaluation
```

### References

```
URL: https://cwe.mitre.org/data/definitions/1336.html
Name: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

URL: https://jinja.palletsprojects.com/en/latest/sandbox/
Name: Jinja2 SandboxedEnvironment

URL: https://portswigger.net/web-security/server-side-template-injection
Name: SSTI background and exploitation patterns
```

Occurrences:
  Permalink: https://github.com/langgenius/dify/blob/main/api/core/helper/code_executor/jinja2/jinja2_transformer.py#L47
  Description: Jinja2 template execution path uses direct template compilation/evaluation
References:
  URL: https://cwe.mitre.org/data/definitions/1336.html
  Name: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
  URL: https://jinja.palletsprojects.com/en/latest/sandbox/
  Name: Jinja2 SandboxedEnvironment
  URL: https://portswigger.net/web-security/server-side-template-injection
  Name: SSTI background and exploitation patterns
````