IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. Server-Side Template Injection (SSTI)
InjectionCritical

Server-Side Template Injection (SSTI)

Also known as: SSTI

Server-Side Template Injection (SSTI) occurs when user input is concatenated into a template that is then rendered by a server-side template engine (Jinja2, Twig, Freemarker, Velocity, and others). Because template engines can evaluate expressions and access objects, injection frequently escalates from information disclosure to remote code execution.

CWE
CWE-1336CWE-94
OWASP
A03:2021

How it works

  1. 1User input is placed directly into a template string rather than passed as data.
  2. 2The template engine evaluates the injected expression.
  3. 3The attacker probes with engine-specific syntax to confirm evaluation.
  4. 4They escalate through the object model to read data or execute commands.

Example

Vulnerable (Jinja2):  render_template_string("Hello " + name)

Probe:   {{7*7}}   ->   Hello 49
Escalate: {{ ''.__class__.__mro__[1].__subclasses__() }}
Confirming evaluation, then walking the object model.

Impact

SSTI commonly results in remote code execution on the application server, making it one of the most severe injection classes.

Remediation

  • Never build templates from user input; pass user data as bound variables only.
  • Use logic-less or sandboxed template engines where possible.
  • Apply strict input validation and run the renderer with least privilege.

Detection & testing

Inject engine-specific expressions and observe evaluation (e.g. arithmetic rendering). Confirm with a safe, non-destructive command proof.

Impactr tests for Server-Side Template Injection (SSTI) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for SSTI

Tools

ImpactrBurp Suitetplmap

Frequently asked questions

How is SSTI different from XSS?

XSS executes in the victim's browser (client-side). SSTI executes in the template engine on the server, so it often leads directly to server-side code execution rather than session theft.

Related concepts

OS Command InjectionCross-Site Scripting (XSS)SQL Injection (SQLi)
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub