Skip to content

v0.12.1

Choose a tag to compare

View all tags
@romanlutz romanlutz released this 09 Apr 22:52
· 110 commits to main since this release
v0.12.1
3873c77

v0.12.1 — Security Patch

This is a patch release that addresses a Jinja2 template injection vulnerability. All users of PyRIT 0.12.0 and earlier are encouraged to upgrade.

pip install --upgrade pyrit

What's changed

Security fix: Jinja2 Template Injection (SSTI)

PyRIT's template rendering used an unsandboxed Jinja2 Environment. Remote dataset loaders passed fetched data directly into SeedPrompt(value=...), which rendered it as a Jinja2 template in __post_init__. A poisoned dataset could exploit this for Python object traversal.

Mitigations in this release:

  • Sandboxed rendering: All Jinja2 rendering now uses SandboxedEnvironment, blocking unsafe attribute access (__class__, __mro__, __subclasses__())
  • Safe-by-default SeedPrompt: New is_jinja_template field (default False) auto-escapes values. Only trusted sources (YAML files loaded via from_yaml_file) opt in to template rendering.
  • Vendored many-shot dataset: The many-shot jailbreaking dataset is now bundled locally, eliminating a runtime requests.get() to an external GitHub URL. fetch_many_shot_jailbreaking_dataset is
    deprecated in favor of load_many_shot_jailbreaking_dataset (removal in 0.14.0).

Action required

  • Upgrade: pip install --upgrade pyrit
  • If you construct SeedPrompt with Jinja2 template syntax in your own code, add is_jinja_template=True to preserve rendering behavior. Without it, template syntax is now auto-escaped by default.
  • If you call fetch_many_shot_jailbreaking_dataset(), switch to load_many_shot_jailbreaking_dataset().

Full list of changes

Full Changelog: v0.12.0...v0.12.1

Contributors

romanlutz and adrian-gavrila
Assets 2
Loading