Server Side Template Injection (Blind)

When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution.

Server-side template injection allows attackers to inject template syntax that is evaluated by the server’s template engine, potentially leading to remote code execution. Attackers can break out of the template context to execute arbitrary code, read sensitive files, or gain full control of the server. This vulnerability is particularly severe because template engines often have extensive capabilities including file system access, making exploitation straightforward once injection is achieved.

Never concatenate user input directly into template strings. Instead, pass user data as variables to the template rendering function, which ensures proper escaping and sandboxing. Use logic-less template engines where possible, and if dynamic templates are required, implement strict input validation and use the template engine’s safe rendering methods that prevent code evaluation.