CVE-2024-32651 CRITICAL

CVE-2024-32651: Server Side Template Injection in Jinja2 allows Remote Command Execution

Vendor Dgtlmoon
Product changedetection.io
Weakness CWE-1336
Published April 25, 2024
Last update February 13, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).

Key dates

02Disclosure timeline

April 25, 2024 CVE published
February 13, 2025 Record updated