Server-Side Template Injection
What is Server-Side Template Injection?
Server-Side Template InjectionAn attack that injects template-engine syntax into untrusted input, leading to code execution on the server when the template is rendered.
Server-Side Template Injection (SSTI) occurs when user input is concatenated into a template processed by an engine such as Jinja2, Twig, Freemarker, Velocity, or ERB. Many engines expose object access and method calls inside expressions, so injecting payloads like {{7*7}} or ${...} can read environment variables, traverse the object graph, and ultimately invoke arbitrary code or operating-system commands. The impact ranges from data disclosure to full server takeover. Defences are passing user data only as template variables (never as the template itself), using sandboxed or logic-less engines, allow-listing template names, applying contextual output encoding, and running the application with least privilege.
● Examples
- 01
A name field rendered with Jinja2 that returns 49 when the user enters {{7*7}}, confirming SSTI.
- 02
A Freemarker template injection that runs Runtime.exec to spawn a reverse shell on the server.
● Frequently asked questions
What is Server-Side Template Injection?
An attack that injects template-engine syntax into untrusted input, leading to code execution on the server when the template is rendered. It belongs to the Attacks & Threats category of cybersecurity.
What does Server-Side Template Injection mean?
An attack that injects template-engine syntax into untrusted input, leading to code execution on the server when the template is rendered.
How do you defend against Server-Side Template Injection?
Defences for Server-Side Template Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Server-Side Template Injection?
Common alternative names include: SSTI, Template injection.