Intel

AIKIDO-2026-78094

fsspec is vulnerable to Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

65

Medium Risk

This Affects:

PYTHONfsspec
0.9.0 - 2026.4.0
Fixed in 2026.6.0
Are you affected? Scan for Free

TL;DR

ReferenceFileSystem renders templates, refs, and gen entries from a loaded reference set using an unsandboxed jinja2.Template engine. When an application opens a reference set that contains attacker-influenced {{ }} expressions, those expressions are evaluated with full Jinja access, allowing traversal to Python internals and arbitrary code execution. Generator (gen) entries are rendered through unsandboxed Jinja even under the default simple_templates behavior, so the unsafe path is reachable without enabling full templating. The fix renders these values with jinja2.sandbox.SandboxedEnvironment and skips Jinja generator processing when simple templates are used.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and load reference sets from untrusted sources with ReferenceFileSystem.

Background info

fsspec is vulnerable to Server-Side Template Injection (SSTI) in versions 0.9.0 - 2026.4.0.

How to fix this

Upgrade the fsspec library to the patch version.